CVE-2025-52887

EUVD-2025-19196

26.06.2025, 15:15

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. In version 0.21.0, when many http headers fields are passed in, the library does not limit the number of headers, and the memory associated with the headers will not be released when the connection is disconnected. This leads to potential exhaustion of system memory and results in a server crash or unresponsiveness. Version 0.22.0 contains a patch for the issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 67%

Affected Products (NVD)

Vendor	Product	Version
yhirose	cpp-httplib	0.21.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

cpp-httplib

bookworm	0.11.4+ds-1+deb12u1 fixed
forky	0.41.0+ds-3 fixed
sid	0.41.0+ds-3 fixed
trixie	0.18.7-1+deb13u1 fixed
trixie (security)	0.18.7-1+deb13u1 fixed

Known Exploits!

https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-xjhg-gf59-p92h

Common Weakness Enumeration

CWE-400 - Uncontrolled Resource Consumption
The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

References

https://github.com/yhirose/cpp-httplib/commit/28dcf379e82a2cdb544d812696a7fd46067eb7f9

https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-xjhg-gf59-p92h