CVE-2025-46728 Overview
CVE-2025-46728 is a resource exhaustion vulnerability affecting cpp-httplib, a popular C++ header-only HTTP/HTTPS server and client library. The vulnerability exists in versions prior to 0.20.1 where the library fails to enforce configured size limits on incoming request bodies when Transfer-Encoding: chunked is used or when no Content-Length header is provided.
A remote attacker can exploit this flaw by sending a chunked request without the terminating zero-length chunk, causing uncontrolled memory allocation on the server. This leads to potential exhaustion of system memory and results in server crash or complete unresponsiveness, constituting a Denial of Service (DoS) condition.
Critical Impact
Remote attackers can crash or render unresponsive any server using vulnerable versions of cpp-httplib by exploiting improper request body size limit enforcement during chunked transfer encoding parsing.
Affected Products
- cpp-httplib versions prior to 0.20.1
- Applications built using vulnerable cpp-httplib as a dependency
- HTTP/HTTPS servers implemented with cpp-httplib header-only library
Discovery Timeline
- 2025-05-06 - CVE-2025-46728 published to NVD
- 2025-08-01 - Last updated in NVD database
Technical Details for CVE-2025-46728
Vulnerability Analysis
This vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption). The core issue lies in how cpp-httplib handles HTTP request body parsing when dealing with chunked transfer encoding. The library does not properly enforce the configured maximum request body size limits during the parsing phase of chunked requests.
When a client sends an HTTP request using Transfer-Encoding: chunked without including the required terminating zero-length chunk, the server continues to allocate memory for incoming data without bound checking. Similarly, requests lacking a Content-Length header bypass the size enforcement mechanism entirely.
The vulnerability is network-accessible and requires no authentication or user interaction to exploit, making it particularly dangerous for internet-facing services. The attack complexity is low, as an attacker only needs to craft a malformed HTTP request to trigger the memory exhaustion condition.
Root Cause
The root cause is improper input validation in the HTTP request body parsing logic. Specifically, the library's chunked transfer encoding handler does not check the accumulated request body size against configured limits during the parsing loop. This allows an attacker to continuously feed data to the server, which naively allocates memory for each chunk received without enforcing upper bounds.
The missing validation occurs at the boundary where incoming chunked data is processed and stored, allowing unbounded memory growth until system resources are exhausted.
Attack Vector
The attack can be executed remotely over the network by any unauthenticated attacker who can reach the vulnerable server. The exploitation sequence involves:
- Establishing an HTTP connection to the target server
- Sending an HTTP request with Transfer-Encoding: chunked header
- Continuously transmitting chunk data without sending the terminating 0\r\n\r\n sequence
- The server allocates memory for each chunk without enforcing limits
- Server memory becomes exhausted, leading to crash or unresponsiveness
The following patch addresses the vulnerability by introducing a maximum line length constant:
#define CPPHTTPLIB_LISTEN_BACKLOG 5
#endif
+#ifndef CPPHTTPLIB_MAX_LINE_LENGTH
+#define CPPHTTPLIB_MAX_LINE_LENGTH 32768
+#endif
+
/*
* Headers
*/
Source: GitHub Commit 7b752106ac42bd5b907793950d9125a0972c8e8e
This patch introduces the CPPHTTPLIB_MAX_LINE_LENGTH constant set to 32768 bytes as part of the fix to enforce limits during parsing. When the limit is exceeded at any point during reading, the connection is terminated immediately.
Detection Methods for CVE-2025-46728
Indicators of Compromise
- Abnormal memory growth patterns on servers running cpp-httplib-based applications
- Incomplete HTTP requests with Transfer-Encoding: chunked that never terminate
- Connection timeouts associated with memory exhaustion events
- Server process crashes or OOM (Out of Memory) killer events in system logs
Detection Strategies
- Monitor for HTTP requests containing Transfer-Encoding: chunked header that remain open indefinitely without completing
- Implement network traffic analysis to detect connections transmitting continuous chunk data without termination
- Deploy application performance monitoring (APM) to track memory allocation patterns in cpp-httplib services
- Configure alerting on server memory utilization thresholds to catch exploitation attempts early
Monitoring Recommendations
- Enable detailed HTTP access logging to capture request headers including Transfer-Encoding values
- Set up memory consumption alerts at 70%, 85%, and 95% thresholds for proactive detection
- Monitor network connection duration anomalies for HTTP endpoints
- Implement log aggregation and correlation to identify patterns of malformed chunked requests across multiple servers
How to Mitigate CVE-2025-46728
Immediate Actions Required
- Upgrade cpp-httplib to version 0.20.1 or later immediately
- If immediate upgrade is not possible, deploy a reverse proxy (Nginx, HAProxy) in front of vulnerable applications
- Configure reverse proxy to enforce maximum request body size limits
- Review and identify all applications in your environment using cpp-httplib as a dependency
Patch Information
The vulnerability is fixed in cpp-httplib version 0.20.1. The fix enforces size limits during the parsing phase, and if the limit is exceeded at any point during reading, the connection is terminated immediately.
For detailed patch information, refer to the GitHub Commit and the GitHub Security Advisory GHSA-px83-72rx-v57c.
Workarounds
- Deploy a reverse proxy such as Nginx or HAProxy in front of cpp-httplib applications
- Configure the proxy to enforce strict maximum request body size limits
- Implement connection timeout policies at the proxy level to terminate long-running requests
- Consider rate limiting on chunked transfer requests at the network perimeter
# Nginx configuration example for request body size limit
# Add to server or location block
client_max_body_size 10m;
client_body_timeout 60s;
proxy_read_timeout 60s;
# HAProxy example
# Add to backend or frontend section
# option http-buffer-request
# http-request deny if { req.body_size gt 10485760 }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
