CVE-2026-28435
📋 TL;DR
This vulnerability in cpp-httplib allows attackers to bypass configured payload size limits by sending compressed HTTP requests. When using streaming content readers with gzip or other supported encodings, a small compressed payload can expand beyond the configured maximum size, potentially causing denial of service through CPU/memory exhaustion. Any application using cpp-httplib versions before 0.35.0 with streaming content readers and compression support is affected.
💻 Affected Systems
- cpp-httplib
📦 What is this software?
Cpp Httplib by Yhirose
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service through memory exhaustion, potentially crashing the server or causing extended downtime.
Likely Case
Resource exhaustion leading to degraded performance, service disruption, or application crashes.
If Mitigated
Minimal impact with proper payload limits enforced and monitoring in place.
🎯 Exploit Status
Exploitation requires sending specially crafted compressed HTTP requests to vulnerable endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.35.0
Vendor Advisory: https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-xvfx-w463-6fpp
Restart Required: Yes
Instructions:
1. Update cpp-httplib to version 0.35.0 or later. 2. Replace httplib.h with the patched version. 3. Recompile and restart affected applications.
🔧 Temporary Workarounds
Disable compression support
allDisable Content-Encoding support in cpp-httplib configuration to prevent compressed payload exploitation.
Configure Server to reject compressed requests or disable compression handling
Implement external payload validation
allAdd custom middleware to validate decompressed payload size before processing.
Implement custom request handler that checks Content-Length and decompressed size
🧯 If You Can't Patch
- Implement rate limiting and request size monitoring at network perimeter
- Deploy WAF rules to block or limit compressed HTTP requests to vulnerable endpoints
🔍 How to Verify
Check if Vulnerable:
Check if using cpp-httplib version < 0.35.0 and if HandlerWithContentReader with compression is enabled.Check Version:
Check source code for httplib.h version or examine build configurationVerify Fix Applied:
Verify cpp-httplib version is 0.35.0 or later and test with compressed payloads exceeding configured limits.📡 Detection & Monitoring
Log Indicators:
- Unusually large request processing times
- Memory usage spikes
- Application crashes with out-of-memory errors
Network Indicators:
- Small compressed requests to endpoints using streaming content readers
- Multiple compressed requests in short timeframes
SIEM Query:
source="web_server" AND (request_size<1000 AND processing_time>5s) OR memory_usage>90%