CVE-2025-53629 Overview
CVE-2025-53629 affects cpp-httplib, a C++11 single-file header-only cross-platform HTTP/HTTPS library widely used in embedded servers and applications. Versions prior to 0.23.0 allow incoming requests carrying a Transfer-Encoding: chunked header to trigger arbitrary memory allocation on the server. An unauthenticated remote attacker can exhaust server memory and cause a denial of service. The flaw is classified as [CWE-770: Allocation of Resources Without Limits or Throttling]. This issue is related to CVE-2025-53628 and is fixed in version 0.23.0.
Critical Impact
Remote, unauthenticated attackers can exhaust server memory through crafted chunked HTTP requests, taking down any service built on vulnerable cpp-httplib versions.
Affected Products
- yhirose cpp-httplib versions prior to 0.23.0
- Applications and embedded HTTP/HTTPS servers statically linking the vulnerable header
- Downstream projects bundling httplib.h from affected releases
Discovery Timeline
- 2025-07-10 - CVE-2025-53629 published to NVD
- 2025-08-06 - Last updated in NVD database
Technical Details for CVE-2025-53629
Vulnerability Analysis
The vulnerability resides in how cpp-httplib parses HTTP request bodies sent with Transfer-Encoding: chunked. The chunked transfer coding allows a client to declare each subsequent chunk size in hexadecimal before the chunk data. The server reads each declared size and allocates buffer memory to receive the chunk. Prior to version 0.23.0, the library did not enforce upper bounds on the cumulative or per-chunk allocation requested by the client.
Because allocation is driven by attacker-controlled chunk size declarations, a single connection can request multi-gigabyte buffers without ever sending the corresponding payload. Repeated connections amplify the effect across worker threads. The CWE-770 classification reflects this missing resource throttling.
Root Cause
The root cause is the absence of a hard limit on memory allocated while assembling the chunked request body. The parser trusted client-supplied chunk size fields and grew internal buffers accordingly, without comparing them to a configurable maximum body size or available system memory.
Attack Vector
Exploitation requires only network reachability to a service running vulnerable cpp-httplib. No authentication or user interaction is needed. An attacker sends an HTTP request with Transfer-Encoding: chunked and chunk size headers declaring very large values. The server allocates the corresponding memory before the data arrives, and the process is killed by the OS out-of-memory handler or stalls servicing legitimate traffic. See the cpp-httplib security advisory GHSA-qjmq-h3cc-qv6w for technical details. No public proof-of-concept code is currently available, so a synthetic exploit listing is omitted here.
Detection Methods for CVE-2025-53629
Indicators of Compromise
- Sudden spikes in resident memory of processes hosting cpp-httplib-based servers, followed by OOM kills logged in /var/log/syslog or dmesg.
- HTTP access logs showing inbound requests with Transfer-Encoding: chunked from unexpected client IPs and unusually large declared chunk sizes.
- Repeated short-lived connections from the same source attempting chunked POST or PUT requests against any URI.
Detection Strategies
- Inspect HTTP traffic at the proxy or WAF layer for Transfer-Encoding: chunked requests with chunk size fields exceeding policy-defined maximums.
- Correlate process memory growth metrics with concurrent inbound HTTP request volume to identify allocation amplification.
- Use software composition analysis to inventory binaries and source trees containing httplib.h and flag any version below 0.23.0.
Monitoring Recommendations
- Alert on Linux OOM-killer events targeting web service processes.
- Track per-source request rates and chunked body declared sizes through reverse proxy access logs.
- Monitor process restart counts in container orchestrators where cpp-httplib services run.
How to Mitigate CVE-2025-53629
Immediate Actions Required
- Upgrade cpp-httplib to version 0.23.0 or later and rebuild all downstream binaries that statically include httplib.h.
- Front exposed services with a reverse proxy or WAF that enforces a maximum request body size and rejects oversized chunked declarations.
- Apply network-level rate limiting on endpoints accepting POST, PUT, or PATCH requests until patched builds are deployed.
Patch Information
The fix is included in cpp-httplib0.23.0. The upstream commit 17ba303889b8d4d719be3879a70639ab653efb99 introduces bounded allocation when parsing chunked bodies. Refer to the GitHub Security Advisory GHSA-qjmq-h3cc-qv6w for the authoritative fix description.
Workarounds
- Set application-level payload_max_length constraints if exposed by your wrapper around cpp-httplib.
- Terminate TLS and HTTP parsing at a hardened reverse proxy such as nginx or HAProxy that caps client_max_body_size.
- Restrict inbound traffic to authenticated clients only where business requirements allow.
# nginx reverse proxy mitigation: cap request body size and reject oversized chunked requests
server {
listen 443 ssl;
server_name app.example.com;
client_max_body_size 1m;
client_body_buffer_size 16k;
large_client_header_buffers 4 8k;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_request_buffering on;
proxy_http_version 1.1;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
