cpp-httplib: Unchecked HTTP Header Can Crash Client Application

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.5

cpp-httplib: Unchecked HTTP Header Can Crash Client Application

CVE-2026-31870

Summary

A bug in the cpp-httplib library can cause a client application to crash if it receives a malicious HTTP response. This can happen if the application uses the library to connect to any server, regardless of authentication or user interaction. To protect your application, update to version 0.37.1 or later.

Original title

Original description

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.37.1, when a cpp-httplib client uses the streaming API (httplib::stream::Get, httplib::stream::Post, etc.), the library calls std::stoull() directly on the Content-Length header value received from the server with no input validation and no exception handling. std::stoull throws std::invalid_argument for non-numeric strings and std::out_of_range for values exceeding ULLONG_MAX. Since nothing catches these exceptions, the C++ runtime calls std::terminate(), which kills the process with SIGABRT. Any server the client connects to — including servers reached via HTTP redirects, third-party APIs, or man-in-the-middle positions can crash the client application with a single HTTP response. No authentication is required. No interaction from the end user is required. The crash is deterministic and immediate. This vulnerability is fixed in 0.37.1.

nvd CVSS3.1 7.5

Vulnerability type

CWE-248

https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-39q5-hh6x-jpxx

Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026