Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.9
cpp-httplib: Malicious HTTP Request Can Crash Server
CVE-2026-29076
Summary
A malicious HTTP request can crash the server process running cpp-httplib, a C++ library used for HTTP/HTTPS requests. This can happen if an attacker sends a specially crafted request with a problematic filename. Update to version 0.37.0 or later to fix the issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| yhirose | cpp-httplib | <= 0.37.0 | – |
Original title
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.37.0, cpp-httplib uses std::regex (libstdc++) to parse RFC 5987 encoded filename* values in mult...
Original description
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.37.0, cpp-httplib uses std::regex (libstdc++) to parse RFC 5987 encoded filename* values in multipart Content-Disposition headers. The regex engine in libstdc++ implements backtracking via deep recursion, consuming one stack frame per input character. An attacker can send a single HTTP POST request with a crafted filename* parameter that causes uncontrolled stack growth, resulting in a stack overflow (SIGSEGV) that crashes the server process. This issue has been patched in version 0.37.0.
nvd CVSS3.1
5.9
Vulnerability type
CWE-674
CWE-1333
Inefficient Regular Expression Complexity (ReDoS)
Published: 7 Mar 2026 · Updated: 13 Mar 2026 · First seen: 7 Mar 2026