CVE-2025-46728

CVE-2025-46728 is a high-severity vulnerability in Cpp-httplib Project Cpp-httplib with a CVSS 3.x base score of 7.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-400.

Key facts

Description

cpp-httplib is a C++ header-only HTTP/HTTPS server and client library. Prior to version 0.20.1, the library fails to enforce configured size limits on incoming request bodies when `Transfer-Encoding: chunked` is used or when no `Content-Length` header is provided. A remote attacker can send a chunked request without the terminating zero-length chunk, causing uncontrolled memory allocation on the server. This leads to potential exhaustion of system memory and results in a server crash or unresponsiveness. Version 0.20.1 fixes the issue by enforcing limits during parsing. If the limit is exceeded at any point during reading, the connection is terminated immediately. A short-term workaround through a Reverse Proxy is available. If updating the library immediately is not feasible, deploy a reverse proxy (e.g., Nginx, HAProxy) in front of the `cpp-httplib` application. Configure the proxy to enforce maximum request body size limits, thereby stopping excessively large requests before they reach the vulnerable library code.

Frequently asked questions

What is CVE-2025-46728?
cpp-httplib is a C++ header-only HTTP/HTTPS server and client library. Prior to version 0.20.1, the library fails to enforce configured size limits on incoming request bodies when `Transfer-Encoding: chunked` is used or when no `Content-Length` header is provided. A remote attacker can send a chunked request without the terminating zero-length chunk, causing uncontrolled memory allocation on the server. This leads to potential exhaustion of system memory and results in a server crash or unresponsiveness. Version 0.20.1 fixes the issue by enforcing limits during parsing. If the limit is exceeded at any point during reading, the connection is terminated immediately. A short-term workaround through a Reverse Proxy is available. If updating the library immediately is not feasible, deploy a reverse proxy (e.g., Nginx, HAProxy) in front of the `cpp-httplib` application. Configure the proxy to enforce maximum request body size limits, thereby stopping excessively large requests before they reach the vulnerable library code.
How severe is CVE-2025-46728?
CVE-2025-46728 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability high.
Is CVE-2025-46728 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (45th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2025-46728?
CVE-2025-46728 affects Cpp-httplib Project Cpp-httplib. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2025-46728?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
Does CVE-2025-46728 have an EU (EUVD) identifier?
Yes. CVE-2025-46728 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-13496.
When was CVE-2025-46728 published?
CVE-2025-46728 was published on 2025-05-06 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Cpp-httplib Project Cpp-httplib

All CVEs affecting Cpp-httplib Project Cpp-httplib →

Other CWE-400 (Uncontrolled Resource Consumption) vulnerabilities

Browse all CWE-400 (Uncontrolled Resource Consumption) vulnerabilities →