CVE-2026-22776

HIGH

cpp-httplib < 0.30.1 - Denial of Service via Unbounded Decompression of HTTP Request Bodies

Title source: llm

Description

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.1, a Denial of Service (DoS) vulnerability exists in cpp-httplib due to the unsafe handling of compressed HTTP request bodies (Content-Encoding: gzip, br, etc.). The library validates the payload_max_length against the compressed data size received from the network, but does not limit the size of the decompressed data stored in memory.

References (2)

Core 2

Core References

Exploit, Vendor Advisory x_refsource_confirm

https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-h934-98h4-j43q

Patch x_refsource_misc

https://github.com/yhirose/cpp-httplib/commit/2e2e47bab1ae6a853476eecbc4bf279dd1fef792

View Patch ZIP pw:eip

Scores

CVSS v3 7.5

EPSS 0.0035

EPSS Percentile 27.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-409

Status published

Products (1)

yhirose/cpp-httplib < 0.30.1

Published Jan 12, 2026

Tracked Since Feb 18, 2026