Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
cpp-httplib: Large Payload Can Cause CPU/Memory Overload
CVE-2026-28435
Summary
A bug in cpp-httplib's handling of compressed HTTP requests can cause a denial of service by consuming excessive CPU or memory. This issue affects versions prior to 0.35.0. Update to 0.35.0 or later to fix the problem.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| yhirose | cpp-httplib | <= 0.35.0 | – |
Original title
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.35.0, cpp-httplib (httplib.h) does not enforce Server::set_payload_max_length() on the decompressed requ...
Original description
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.35.0, cpp-httplib (httplib.h) does not enforce Server::set_payload_max_length() on the decompressed request body when using HandlerWithContentReader (streaming ContentReader) with Content-Encoding: gzip (or other supported encodings). A small compressed payload can expand beyond the configured payload limit and be processed by the application, enabling a payload size limit bypass and potential denial of service (CPU/memory exhaustion). This vulnerability is fixed in 0.35.0.
nvd CVSS3.1
7.5
Vulnerability type
CWE-400
Uncontrolled Resource Consumption
CWE-409
- https://github.com/yhirose/cpp-httplib/commit/c99d7472b5cf4869d3897b9afc9792063a... Patch
- https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-xvfx-w463-6fpp Exploit Mitigation Vendor Advisory
Published: 4 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026