HIGH🇬🇧 English

CVE-2026-31870

CVSS 7.5v3.1pub. 2026-03-11upd. 2026-03-18

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.37.1, when a cpp-httplib client uses the streaming API (httplib::stream::Get, httplib::stream::Post, etc.), the library calls std::stoull() directly on the Content-Length header value received from the server with no input validation and no exception handling. std::stoull throws std::invalid_argument for non-numeric strings and std::out_of_range for values exceeding ULLONG_MAX. Since nothing catches these exceptions, the C++ runtime calls std::terminate(), which kills the process with SIGABRT. Any server the client connects to — including servers reached via HTTP redirects, third-party APIs, or man-in-the-middle positions can crash the client application with a single HTTP response. No authentication is required. No interaction from the end user is required. The crash is deterministic and immediate. This vulnerability is fixed in 0.37.1.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • Yhirose Cpp Httplib

    APP
    Yhirose
    < 0.37.1
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
CWE
Referencje

Powiązane podatności

CVE-2026-45372CRITICAL9.9PL ✓ten sam produkt

cpp-httplib: HTTP response splitting poprzez header injection (CRLF injection)

CVE-2025-66570CRITICAL10.0PL ✓ten sam produkt

cpp-httplib: spoofing nagłówków HTTP umożliwia bypass autoryzacji i zatrucie logów

CVE-2026-46527HIGH8.7ten sam produkt

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.44.0, When the se...

CVE-2026-33745HIGH7.4ten sam produkt

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.39.0, the cpp-htt...

CVE-2026-32627HIGH8.7ten sam produkt

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.37.2, when a cpp-...

CVE-2026-31870 — HIGH 7.5 | CVEbaza.pl