CVE-2026-22776

EUVD-2026-2006

12.01.2026, 19:16

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.1, a Denial of Service (DoS) vulnerability exists in cpp-httplib due to the unsafe handling of compressed HTTP request bodies (Content-Encoding: gzip, br, etc.). The library validates the payload_max_length against the compressed data size received from the network, but does not limit the size of the decompressed data stored in memory.

Data Amplification

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 22%

Affected Products (NVD)

Vendor	Product	Version
yhirose	cpp-httplib	𝑥 < 0.30.1

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

cpp-httplib

bookworm	vulnerable
forky	vulnerable
sid	vulnerable
trixie	vulnerable

Known Exploits!

https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-h934-98h4-j43q

Common Weakness Enumeration

CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)
The software does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.

References

https://github.com/yhirose/cpp-httplib/commit/2e2e47bab1ae6a853476eecbc4bf279dd1fef792

https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-h934-98h4-j43q