{"id":"UBUNTU-CVE-2025-46728","details":"cpp-httplib is a C++ header-only HTTP/HTTPS server and client library. Prior to version 0.20.1, the library fails to enforce configured size limits on incoming request bodies when `Transfer-Encoding: chunked` is used or when no `Content-Length` header is provided. A remote attacker can send a chunked request without the terminating zero-length chunk, causing uncontrolled memory allocation on the server. This leads to potential exhaustion of system memory and results in a server crash or unresponsiveness. Version 0.20.1 fixes the issue by enforcing limits during parsing. If the limit is exceeded at any point during reading, the connection is terminated immediately. A short-term workaround through a Reverse Proxy is available. If updating the library immediately is not feasible, deploy a reverse proxy (e.g., Nginx, HAProxy) in front of the `cpp-httplib` application. Configure the proxy to enforce maximum request body size limits, thereby stopping excessively large requests before they reach the vulnerable library code.","modified":"2026-05-20T16:11:22.617499866Z","published":"2025-05-06T01:15:00Z","upstream":["CVE-2025-46728"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-46728"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2025-46728"},{"type":"REPORT","url":"https://github.com/yhirose/cpp-httplib/commit/7b752106ac42bd5b907793950d9125a0972c8e8e"},{"type":"REPORT","url":"https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-px83-72rx-v57c"}],"affected":[{"package":{"name":"cpp-httplib","ecosystem":"Ubuntu:Pro:22.04:LTS","purl":"pkg:deb/ubuntu/cpp-httplib?arch=source&distro=esm-apps%2Fjammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.9.9+ds-1","0.9.10+ds-1","0.10.1+ds-1","0.10.2+ds-1","0.10.3+ds-1","0.10.3+ds-1ubuntu0.1~esm1"],"ecosystem_specific":{"binaries":[{"binary_name":"libcpp-httplib0","binary_version":"0.10.3+ds-1ubuntu0.1~esm1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-46728.json"}},{"package":{"name":"cpp-httplib","ecosystem":"Ubuntu:Pro:24.04:LTS","purl":"pkg:deb/ubuntu/cpp-httplib?arch=source&distro=esm-apps%2Fnoble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.13.1+ds-1ubuntu1","0.14.3+ds-1","0.14.3+ds-1.1","0.14.3+ds-1.1build1","0.14.3+ds-1.1build2","0.14.3+ds-1.1ubuntu0.1~esm1"],"ecosystem_specific":{"binaries":[{"binary_version":"0.14.3+ds-1.1ubuntu0.1~esm1","binary_name":"libcpp-httplib0.14t64"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-46728.json"}},{"package":{"name":"cpp-httplib","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/cpp-httplib?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.18.7-1","0.18.7-1ubuntu0.25.10.1"],"ecosystem_specific":{"binaries":[{"binary_name":"libcpp-httplib0.18","binary_version":"0.18.7-1ubuntu0.25.10.1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-46728.json"}},{"package":{"name":"cpp-httplib","ecosystem":"Ubuntu:26.04:LTS","purl":"pkg:deb/ubuntu/cpp-httplib?arch=source&distro=resolute"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.18.7-1","0.26.0+ds-2ubuntu2","0.26.0+ds-2ubuntu3"],"ecosystem_specific":{"binaries":[{"binary_name":"libcpp-httplib0.26","binary_version":"0.26.0+ds-2ubuntu3"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-46728.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]}