CVE-2026-28435

Field	Details
CVE ID	CVE-2026-28435
Vulnerability Name	cpp-httplib Payload Size Limit Bypass
Affected Software	cpp-httplib HTTP/HTTPS C++ library
CVSS Score	7.5 (Estimated)
Severity	High
Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User Interaction	None
Confidentiality Impact	None
Integrity Impact	None
Availability Impact	High
Exploitability	High
Exploit Availability	No confirmed public weaponized exploit; proof-of-concept techniques possible
Vulnerability Type	Payload Size Validation Bypass / Resource Exhaustion
Affected Versions	cpp-httplib versions prior to the patched release
Patched Version	Latest maintained release with payload validation fixes

Vulnerability Overview

CVE-2026-28435 describes a denial-of-service vulnerability identified in the cpp-httplib C++ HTTP server/client library. The issue arises from improper enforcement of configured payload size limits during HTTP request body processing.

The library allows developers to define maximum request body sizes in order to prevent excessive resource usage. However, in vulnerable implementations this protection can be bypassed under specific request formatting conditions. When specially crafted HTTP requests are processed, the internal request parser may continue accepting body data even after the configured payload limit has been exceeded.

As a result, the application using the library may continue allocating memory for the incoming request stream. If sufficiently large data is sent, memory exhaustion and CPU saturation may occur, eventually causing the application to stop responding or crash.

The vulnerability is particularly relevant for services that expose public HTTP endpoints using cpp-httplib. Since the library is distributed as a single header file, it is often embedded directly inside projects, which increases the risk that outdated copies remain in production environments.

Technical Description

cpp-httplib implements request body parsing through internal routines responsible for:

interpreting HTTP headers
determining request body size
reading incoming body data
validating payload limits

The vulnerability exists in the interaction between payload size validation logic and body parsing routines.

Under certain circumstances, the body parsing routine may continue reading incoming data beyond the configured size limit. This situation may occur when:

request headers declare misleading payload sizes
chunked transfer encoding is used
header/body size mismatches occur
boundary checks are performed incorrectly

Because the parser continues accepting additional data, the process handling the request may allocate buffers that exceed expected limits.

Repeated exploitation can cause the following:

worker threads blocked processing oversized bodies
memory growth beyond safe limits
service instability
full service outage

Affected Environments

Applications using cpp-httplib are commonly found in:

embedded device management APIs
IoT control panels
lightweight microservices written in C++
developer tools exposing HTTP interfaces
local development services
internal REST APIs

The risk becomes higher when these services are exposed to the public internet without request filtering.

Root Cause Analysis

The root cause is associated with insufficient validation of HTTP request body size during parsing operations.

The following conditions contribute to the vulnerability:

The request parser reads incoming body data incrementally.
The configured maximum payload limit is checked during certain stages of processing.
In specific edge cases, the check is either skipped or incorrectly evaluated.
The parser continues processing additional body data without terminating the request.

Because of this behaviour, malicious clients can intentionally craft HTTP requests that bypass the intended size restriction.

This results in uncontrolled resource consumption, which is classified as a resource exhaustion vulnerability.

Exploitation Scenario

The vulnerability can be exploited remotely by sending HTTP requests containing oversized payloads. The attack requires no authentication and can be performed using standard HTTP clients.

A typical attack sequence would proceed as follows:

The attacker identifies an application using cpp-httplib.
A request containing a body larger than the configured limit is sent.
Headers are crafted in a way that causes the body validation logic to be bypassed.
The server continues reading and buffering incoming data.
System memory usage increases rapidly.
The application becomes slow or unresponsive.
Eventually the service crashes or is terminated by the operating system.

When multiple requests are issued simultaneously, the impact becomes significantly greater.

Proof of Concept (Educational)

The following example demonstrates how an oversized request body could be delivered to a vulnerable server.

Example oversized POST request:

POST /api/upload HTTP/1.1
Host: vulnerable-server
Content-Type: application/json
Content-Length: 1024{"data":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA....(several megabytes streamed)"}

Chunked transfer variant:

POST /api/upload HTTP/1.1
Host: vulnerable-server
Transfer-Encoding: chunked800000
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
800000
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
0

If the server fails to enforce body size restrictions properly, the request continues to be processed.

This technique may be repeated rapidly to increase the likelihood of service disruption.

Impact Assessment

The primary impact of this vulnerability is service availability degradation or complete service outage.

Possible consequences include:

Application Impact

API services becoming unresponsive
request handling delays
connection timeouts

Resource Impact

excessive memory consumption
CPU spikes caused by body parsing loops
thread pool exhaustion

Infrastructure Impact

container memory limits being exceeded
automatic restarts triggered by orchestrators
cascading failures in dependent services

The vulnerability does not allow data theft or privilege escalation, but it can significantly disrupt operations.

MITRE ATT&CK Mapping

Technique ID	Technique Name
T1499	Endpoint Denial of Service
T1499.004	Application Exhaustion
T1190	Exploit Public Facing Application

CWE Mapping

CWE	Description
CWE-400	Uncontrolled Resource Consumption
CWE-770	Allocation of Resources Without Limits
CWE-20	Improper Input Validation

Indicators of Exploitation

Security teams may observe several indicators suggesting exploitation attempts.

Network Indicators

unusually large HTTP request bodies
repeated POST requests with excessive payload sizes
chunked transfer encoding with very large chunk sizes
connections remaining open while continuously streaming data

Application Indicators

request parsing errors
worker threads stuck in request processing
unexpected memory allocation failures

System Indicators

sudden spikes in application memory usage
abnormal CPU utilization
service restarts caused by memory exhaustion

Detection

Detection efforts should focus on identifying abnormal request body sizes and unusual HTTP request patterns.

Monitoring should include:

web server logs
reverse proxy logs
application logs
intrusion detection systems
API gateway telemetry

Requests with unusually large bodies or inconsistent header/body lengths should be considered suspicious.

Detection Rules

Suricata IDS Rule

alert http any any -> $HOME_NET any (
msg:"Possible cpp-httplib payload size bypass attempt";
flow:to_server,established;
content:"Content-Length"; http_header;
pcre:"/Content-Length:\s*(\d{7,})/H";
classtype:attempted-dos;
sid:2843501;
rev:1;
)

Snort Rule

alert tcp any any -> $HOME_NET 80 (
msg:"HTTP oversized payload possible cpp-httplib DoS";
flow:to_server,established;
content:"Content-Length"; http_header;
pcre:"/Content-Length:\s*(\d{7,})/";
classtype:attempted-dos;
sid:2843502;
rev:1;
)

Splunk Query

index=web_logs 
| eval body_size=tonumber(content_length)
| where body_size > 10000000
| stats count by src_ip, uri, body_size
| sort -body_size

Elastic Query

http.request.body.bytes > 10000000

KQL Query

HttpRequestBodyBytes > 10000000

Example Log Indicators

request body exceeded configured maximum
unexpected payload length detected
connection closed during body processing

memory allocation failure while reading HTTP body
request parsing timeout
worker thread stalled while processing request

Mitigation

Short-term mitigation strategies include enforcing strict body size limits at multiple layers of the infrastructure.

Recommended defensive measures include:

enforcing payload limits at reverse proxies
applying request rate limits
rejecting requests with extremely large Content-Length values
limiting chunked request sizes
implementing connection timeout policies

Reverse proxies and gateways should enforce maximum body sizes before requests reach the application.

Remediation

The vulnerability has been addressed by strengthening payload size validation in the request parsing logic.

Developers are advised to:

Update cpp-httplib to the patched release.
Replace older embedded versions of the httplib.h file.
Rebuild affected applications after upgrading.
Deploy additional request filtering controls at the infrastructure level.

Official Patch

The issue is resolved in the updated release of the library.

Patch / upgrade location:

https://github.com/yhirose/cpp-httplib/releases

Security Recommendations

Audit projects for embedded copies of httplib.h.
Ensure all services using cpp-httplib are updated to the patched version.
Monitor HTTP traffic for abnormal payload sizes.
Apply request body limits at the edge network layer.
Implement resource monitoring alerts for memory spikes.

CVE-2026-28435: Critical Payload Size Bypass in cpp-httplib Enables Remote Denial-of-Service Attacks