Fluid Attacks Database

Description

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.37.0, cpp-httplib uses std::regex (libstdc++) to parse RFC 5987 encoded filename* values in multipart Content-Disposition headers. The regex engine in libstdc++ implements backtracking via deep recursion, consuming one stack frame per input character. An attacker can send a single HTTP POST request with a crafted filename* parameter that causes uncontrolled stack growth, resulting in a stack overflow (SIGSEGV) that crashes the server process. This issue has been patched in version 0.37.0.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	cpp-httplib	=0.18.7-1 \|\| =0.20.1+ds-3 \|\| =0.25.0+ds-1 \|\| =0.26.0+ds-2 \|\| =0.41.0+ds-1 \|\| =0.41.0+ds-2 \|\| >=0 <0.41.0+ds-3	0.41.0+ds-3
debian 12	cpp-httplib	=0.11.4+ds-1 \|\| =0.11.4+ds-1+deb12u1 \|\| =0.11.4+ds-2 \|\| =0.11.4+ds-3 \|\| =0.13.1+ds-1 \|\| =0.14.0+ds-1 \|\| =0.14.1+ds-1 \|\| =0.14.1+ds-2 \|\| =0.14.2+ds-1 \|\| =0.14.3+ds-1 \|\| =0.14.3+ds-1.1 \|\| =0.14.3+ds-1.1~exp1 \|\| =0.15.3+ds-1 \|\| =0.15.3+ds-2 \|\| =0.15.3+ds-3 \|\| =0.16.0+ds-1 \|\| =0.16.3+ds-1 \|\| =0.16.3+ds-2 \|\| =0.18.0+ds-1 \|\| =0.18.7-1 \|\| =0.20.1+ds-3 \|\| =0.25.0+ds-1 \|\| =0.26.0+ds-2 \|\| =0.41.0+ds-1 \|\| =0.41.0+ds-2 \|\| =0.41.0+ds-3	-
debian 13	cpp-httplib	=0.18.7-1 \|\| =0.18.7-1+deb13u1 \|\| =0.20.1+ds-3 \|\| =0.25.0+ds-1 \|\| =0.26.0+ds-2 \|\| =0.41.0+ds-1 \|\| =0.41.0+ds-2 \|\| =0.41.0+ds-3	-

Aliases

1. CVE-2026-290762. NVD-2026-290763. OSV-DEBIAN-2026-290764. OSV-2026-290765. SECURITY-TRACKER-CVE-2026-29076

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.