Fluid Attacks Database

Description

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.35.0, cpp-httplib (httplib.h) does not enforce Server::set_payload_max_length() on the decompressed request body when using HandlerWithContentReader (streaming ContentReader) with Content-Encoding: gzip (or other supported encodings). A small compressed payload can expand beyond the configured payload limit and be processed by the application, enabling a payload size limit bypass and potential denial of service (CPU/memory exhaustion). This vulnerability is fixed in 0.35.0.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	cpp-httplib	=0.11.4+ds-1 \|\| =0.11.4+ds-1+deb12u1 \|\| =0.11.4+ds-2 \|\| =0.11.4+ds-3 \|\| =0.13.1+ds-1 \|\| =0.14.0+ds-1 \|\| =0.14.1+ds-1 \|\| =0.14.1+ds-2 \|\| =0.14.2+ds-1 \|\| =0.14.3+ds-1 \|\| =0.14.3+ds-1.1 \|\| =0.14.3+ds-1.1~exp1 \|\| =0.15.3+ds-1 \|\| =0.15.3+ds-2 \|\| =0.15.3+ds-3 \|\| =0.16.0+ds-1 \|\| =0.16.3+ds-1 \|\| =0.16.3+ds-2 \|\| =0.18.0+ds-1 \|\| =0.18.7-1 \|\| =0.20.1+ds-3 \|\| =0.25.0+ds-1 \|\| =0.26.0+ds-2 \|\| =0.41.0+ds-1 \|\| =0.41.0+ds-2 \|\| =0.41.0+ds-3	-
debian 13	cpp-httplib	=0.18.7-1 \|\| =0.18.7-1+deb13u1 \|\| =0.20.1+ds-3 \|\| =0.25.0+ds-1 \|\| =0.26.0+ds-2 \|\| =0.41.0+ds-1 \|\| =0.41.0+ds-2 \|\| =0.41.0+ds-3	-
debian 14	cpp-httplib	=0.18.7-1 \|\| =0.20.1+ds-3 \|\| =0.25.0+ds-1 \|\| =0.26.0+ds-2 \|\| =0.41.0+ds-1 \|\| =0.41.0+ds-2 \|\| >=0 <0.41.0+ds-3	0.41.0+ds-3

Aliases

1. CVE-2026-284352. NVD-2026-284353. OSV-DEBIAN-2026-284354. OSV-2026-284355. SECURITY-TRACKER-CVE-2026-28435