{"id":"CVE-2025-52887","summary":"cpp-httplib has unlimited number of http header fields, which causes memory leak","details":"cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. In version 0.21.0, when many http headers fields are passed in, the library does not limit the number of headers, and the memory associated with the headers will not be released when the connection is disconnected. This leads to potential exhaustion of system memory and results in a server crash or unresponsiveness. Version 0.22.0 contains a patch for the issue.","aliases":["GHSA-xjhg-gf59-p92h"],"modified":"2026-05-29T07:34:37.178741Z","published":"2025-06-26T14:31:52.092Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-400"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/52xxx/CVE-2025-52887.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/52xxx/CVE-2025-52887.json"},{"type":"ADVISORY","url":"https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-xjhg-gf59-p92h"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-52887"},{"type":"FIX","url":"https://github.com/yhirose/cpp-httplib/commit/28dcf379e82a2cdb544d812696a7fd46067eb7f9"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/yhirose/cpp-httplib","events":[{"introduced":"0"},{"fixed":"28dcf379e82a2cdb544d812696a7fd46067eb7f9"}]}],"versions":["v0.21.0","v0.20.1","v0.20.0","v0.19.0","v0.18.7","v0.18.6","v0.18.5","v0.18.4","v0.18.3","v0.18.2","v0.18.1","v0.18.0","v0.17.3","v0.17.2","v0.17.1","v0.17.0","v0.16.3","v0.16.2","v0.16.1","v0.16.0","v0.15.3","v0.15.2","v0.15.1","v0.15.0","v0.14.3","v0.14.2","v0.14.1","v0.14.0","v0.13.3","v0.13.2","v0.13.1","v0.13.0","v0.12.6","v0.12.5","v0.12.4","v0.12.3","v0.12.2","v0.12.1","v0.12.0","v0.11.4","v0.11.3","v0.11.2","v0.11.1","v0.11.0","v0.10.9","v0.10.8","v0.10.7","v0.10.6","v0.10.5","v0.10.4","v0.10.3","v0.10.2","v0.10.1","v0.10.0","v0.9.10","v0.9.9","v0.9.8","v0.9.7","v0.9.6","v0.9.5","v0.9.4","v0.9.3","v0.9.2","v0.9.1","v0.9.0","v0.8.9","v0.8.8","v0.8.7","v0.8.6","v0.8.5","v0.8.4","v0.8.3","v0.8.2","v0.8.1","v0.8.0","v0.7.18","v0.7.17","v0.7.16","v0.7.15","v0.7.14","v0.7.13","v0.7.12","v0.7.11","v0.7.10","v0.7.9","v0.7.8","v0.7.7","v0.7.6","v0.7.5","v0.7.4","v0.7.3","v0.7.2","v0.7.1","v0.7.0","v0.6.7","v0.6.6","v0.6.5","v0.6.4","v0.6.3","v0.6.2","v0.6.1","v0.6.0","v0.5.13","v0.5.12","v0.5.11","v0.5.10","v0.5.9","v0.5.8","v0.5.7","v0.5.6","v0.5.5","v0.5.4","v0.5.3","v0.5.2","v0.5.1","v0.5.0","v0.4.2","v0.4.1","v0.4.0","v0.3.3","v0.3.2","v0.3.1","v0.3.0","v0.2.6","v0.2.5","v0.2.4","v0.2.3","v0.2.2","v0.2.1","v0.2.0"],"database_specific":{"vanir_signatures_modified":"2026-05-29T07:34:37Z","vanir_signatures":[{"signature_type":"Line","id":"CVE-2025-52887-c2164cbf","deprecated":false,"target":{"file":"httplib.h"},"signature_version":"v1","source":"https://github.com/yhirose/cpp-httplib/commit/28dcf379e82a2cdb544d812696a7fd46067eb7f9","digest":{"threshold":0.9,"line_hashes":["275671391591463579219520520614650526839","297383916161159859848780964783816081383","187952879261299001881179846929970812144","108467006016609729936947179732288890854","60437407063666212446384722396188081109","79392757655228775030965665326420554885","224490661419801020594851913768626804333","6545929181602795824567813733300304456","195668060767580618445981164458526445517","282916166251811646021848639583646281735","237015639466640384429116307850737299063","240522512309630831697827857464120036961","63023319149774050960125992398873200987","297398128986816905378546040946489315767","337289218457491915173034727001663527758","242023523799936387776870628063942765801","281335586367702852998984842891947664423","110684756889977617031225251891009789171","172888895135880388131131509848479196575","270125226515358489486528445998419911337","210855358438095199607249721858741902875"]}},{"signature_type":"Function","id":"CVE-2025-52887-c782cf8c","deprecated":false,"target":{"function":"read_headers","file":"httplib.h"},"signature_version":"v1","source":"https://github.com/yhirose/cpp-httplib/commit/28dcf379e82a2cdb544d812696a7fd46067eb7f9","digest":{"function_hash":"337178125486439535957185878008304747404","length":725}},{"signature_type":"Line","id":"CVE-2025-52887-e63cb16c","deprecated":false,"target":{"file":"test/test.cc"},"signature_version":"v1","source":"https://github.com/yhirose/cpp-httplib/commit/28dcf379e82a2cdb544d812696a7fd46067eb7f9","digest":{"threshold":0.9,"line_hashes":["244555817801813912373752667492877105211","328908995521614501975032834039713335962","222347871147095164020821689313696166393","294892978126976142761233337511089165018","264890639792726382961425057853420409226","6445826477426803153860939004585363110","28570163837484994210360242146308815836","120211105383261912669870357306172856775","257768843338617806296604682044413224828","177128883742143955674719429924762349700"]}},{"signature_type":"Function","id":"CVE-2025-52887-f0231070","deprecated":false,"target":{"function":"read_content_chunked","file":"httplib.h"},"signature_version":"v1","source":"https://github.com/yhirose/cpp-httplib/commit/28dcf379e82a2cdb544d812696a7fd46067eb7f9","digest":{"function_hash":"91596895803306304005231320572906139632","length":1154}}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-52887.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}