Source: cpp-httplib
Version: 0.18.7-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for cpp-httplib.

CVE-2025-46728[0]:
| cpp-httplib is a C++ header-only HTTP/HTTPS server and client
| library. Prior to version 0.20.1, the library fails to enforce
| configured size limits on incoming request bodies when `Transfer-
| Encoding: chunked` is used or when no `Content-Length` header is
| provided. A remote attacker can send a chunked request without the
| terminating zero-length chunk, causing uncontrolled memory
| allocation on the server. This leads to potential exhaustion of
| system memory and results in a server crash or unresponsiveness.
| Version 0.20.1 fixes the issue by enforcing limits during parsing.
| If the limit is exceeded at any point during reading, the connection
| is terminated immediately. A short-term workaround through a Reverse
| Proxy is available. If updating the library immediately is not
| feasible, deploy a reverse proxy (e.g., Nginx, HAProxy) in front of
| the `cpp-httplib` application. Configure the proxy to enforce
| maximum request body size limits, thereby stopping excessively large
| requests before they reach the vulnerable library code.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-46728
https://www.cve.org/CVERecord?id=CVE-2025-46728
[1] https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-px83-72rx-v57c
[2] https://github.com/yhirose/cpp-httplib/commit/7b752106ac42bd5b907793950d9125a0972c8e8e

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)