The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-31870

CVE-2026-31870: cpp-httplib DoS Vulnerability

CVE-2026-31870 is a denial of service flaw in cpp-httplib that allows malicious servers to crash client applications via malformed Content-Length headers. This article covers technical details, affected versions, and mitigation.

Published: March 13, 2026

CVE-2026-31870 Overview

A denial of service vulnerability exists in cpp-httplib, a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.37.1, when a cpp-httplib client uses the streaming API (httplib::stream::Get, httplib::stream::Post, etc.), the library calls std::stoull() directly on the Content-Length header value received from the server with no input validation and no exception handling.

The std::stoull function throws std::invalid_argument for non-numeric strings and std::out_of_range for values exceeding ULLONG_MAX. Since nothing catches these exceptions, the C++ runtime calls std::terminate(), which kills the process with SIGABRT.

Critical Impact

Any server the client connects to—including servers reached via HTTP redirects, third-party APIs, or man-in-the-middle positions—can crash the client application with a single HTTP response. No authentication or user interaction is required, and the crash is deterministic and immediate.

Affected Products

  • cpp-httplib versions prior to 0.37.1
  • Applications using cpp-httplib streaming API (httplib::stream::Get, httplib::stream::Post, etc.)
  • Any client application connecting to untrusted or potentially compromised servers

Discovery Timeline

  • 2026-03-11 - CVE CVE-2026-31870 published to NVD
  • 2026-03-12 - Last updated in NVD database

Technical Details for CVE-2026-31870

Vulnerability Analysis

This vulnerability is classified under CWE-248 (Uncaught Exception), which describes scenarios where an exception is thrown but not properly caught or handled by the application. In the case of cpp-httplib, the streaming API implementation directly parses the Content-Length HTTP header using std::stoull() without any input validation or exception handling mechanisms.

The std::stoull() function in C++ is designed to convert a string to an unsigned long long integer. However, when provided with malformed input—such as non-numeric characters or values that exceed ULLONG_MAX—it throws exceptions that bubble up through the call stack. Without a try-catch block to handle these exceptions, the C++ runtime invokes std::terminate(), resulting in immediate process termination via SIGABRT.

Root Cause

The root cause is improper input validation combined with missing exception handling (CWE-248). The cpp-httplib library trusts the Content-Length header value from remote servers without sanitizing or validating the input before attempting to convert it to a numeric type. The streaming API functions do not wrap the std::stoull() call in exception handling, allowing any malformed header value to crash the client application.

Attack Vector

This vulnerability can be exploited remotely over the network without authentication. An attacker can exploit this vulnerability through multiple attack vectors:

  1. Malicious Server: An attacker-controlled server responds to legitimate client requests with a malformed Content-Length header
  2. Man-in-the-Middle (MITM): An attacker intercepts HTTP traffic and injects malformed Content-Length headers into responses
  3. HTTP Redirects: A legitimate server redirects the client to an attacker-controlled endpoint that delivers the malicious response
  4. Compromised Third-Party APIs: If the client application interacts with third-party APIs, any compromised endpoint can trigger the vulnerability

The attack requires sending an HTTP response with a Content-Length header containing either non-numeric characters (triggering std::invalid_argument) or a value exceeding ULLONG_MAX (triggering std::out_of_range). For example, a response header like Content-Length: AAAAAAAA or Content-Length: 99999999999999999999999999 would trigger the crash when processed by vulnerable cpp-httplib streaming API calls.

Detection Methods for CVE-2026-31870

Indicators of Compromise

  • Unexpected client application crashes with SIGABRT signal
  • Core dumps showing std::terminate() in the stack trace originating from cpp-httplib code
  • Network traffic containing HTTP responses with malformed Content-Length headers (non-numeric or excessively large values)
  • Application logs showing abnormal termination during HTTP streaming operations

Detection Strategies

  • Monitor application crash logs for SIGABRT signals and stack traces involving std::stoull() or std::terminate()
  • Implement network-level inspection to flag HTTP responses with malformed Content-Length headers
  • Deploy application performance monitoring to detect unexpected process terminations correlating with HTTP client activity
  • Review cpp-httplib version in use across applications to identify vulnerable deployments

Monitoring Recommendations

  • Set up alerting for sudden client application crashes during HTTP operations
  • Monitor network traffic for anomalous HTTP response headers at ingress points
  • Implement health checks that can detect and alert on unexpected process terminations
  • Use endpoint detection and response (EDR) solutions to correlate SIGABRT crashes with network activity

How to Mitigate CVE-2026-31870

Immediate Actions Required

  • Upgrade cpp-httplib to version 0.37.1 or later immediately
  • Audit all applications using cpp-httplib to identify those utilizing the streaming API
  • Consider implementing network-level filtering to validate Content-Length headers before they reach vulnerable applications
  • If immediate patching is not possible, restrict client applications from connecting to untrusted servers

Patch Information

The vulnerability is fixed in cpp-httplib version 0.37.1. The fix adds proper input validation and exception handling for the Content-Length header parsing in the streaming API. Organizations should update their dependencies to the patched version as soon as possible.

For detailed information about the security fix, refer to the GitHub Security Advisory.

Workarounds

  • Wrap cpp-httplib streaming API calls in try-catch blocks at the application level to prevent uncaught exceptions from terminating the process
  • Implement a reverse proxy or web application firewall (WAF) that validates Content-Length headers before forwarding responses to client applications
  • Restrict client applications to connect only to trusted, controlled servers until the patch can be applied
  • Consider implementing a watchdog process to restart crashed applications while awaiting permanent remediation
bash
# Verify cpp-httplib version in your project
# Check header file for version information
grep -r "CPPHTTPLIB_VERSION" /path/to/your/project

# Update cpp-httplib to patched version
# If using as a git submodule:
cd /path/to/cpp-httplib
git fetch --tags
git checkout v0.37.1

# If using package manager, update to latest version
# Example for vcpkg:
vcpkg upgrade cpp-httplib

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeDOS
  • Vendor/TechCpp Httplib
  • SeverityHIGH
  • CVSS Score7.5
  • EPSS Probability0.06%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-248
  • Technical References
  • GitHub Security Advisory
  • Related CVEs
  • CVE-2026-28435: Yhirose Cpp-httplib DoS Vulnerability
  • CVE-2026-22776: cpp-httplib DoS Vulnerability
  • CVE-2026-29076: Yhirose Cpp-httplib Buffer Overflow Flaw
  • CVE-2026-21428: Yhirose Cpp-httplib SSRF Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English