#VU110691 Resource exhaustion in Cpp-httplib - CVE-2025-46728

Cybersecurity Help s.r.o.

Published: 2025-06-10

Vulnerability identifier: #VU110691

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-46728

CWE-ID: CWE-400

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Cpp-httplib

Vendor: Cpp-httplib Project

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when handling requests with "Transfer-Encoding: chunked" is used and no Content-Length header is provided. A remote attacker can send specially crafted HTTP requests to trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Cpp-httplib: 0.2.0 - 0.20.0

External links
https://github.com/yhirose/cpp-httplib/commit/7b752106ac42bd5b907793950d9125a0972c8e8e
https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-px83-72rx-v57c

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

openEuler 22.03 LTS SP4 update for cpp-httplib

openEuler 24.03 LTS update for cpp-httplib

openEuler 24.03 LTS SP1 update for cpp-httplib

openEuler 22.03 LTS SP3 update for cpp-httplib

Denial of service in cpp-httplib