[Buildroot] [PATCH 1/2] package/cpp-httplib: security bump to v0.37.2

[Buildroot] [PATCH 1/2] package/cpp-httplib: security bump to v0.37.2

[Titouan Christophe via buildroot]

See the release notes of intermediate versions:
- https://github.com/yhirose/cpp-httplib/releases/tag/v0.28.0
- https://github.com/yhirose/cpp-httplib/releases/tag/v0.29.0
- https://github.com/yhirose/cpp-httplib/releases/tag/v0.30.0
- https://github.com/yhirose/cpp-httplib/releases/tag/v0.30.1
- https://github.com/yhirose/cpp-httplib/releases/tag/v0.30.2
- https://github.com/yhirose/cpp-httplib/releases/tag/v0.31.0
- https://github.com/yhirose/cpp-httplib/releases/tag/v0.32.0
- https://github.com/yhirose/cpp-httplib/releases/tag/v0.33.0
- https://github.com/yhirose/cpp-httplib/releases/tag/v0.33.1
- https://github.com/yhirose/cpp-httplib/releases/tag/v0.34.0
- https://github.com/yhirose/cpp-httplib/releases/tag/v0.35.0
- https://github.com/yhirose/cpp-httplib/releases/tag/v0.36.0
- https://github.com/yhirose/cpp-httplib/releases/tag/v0.37.0
- https://github.com/yhirose/cpp-httplib/releases/tag/v0.37.1
- https://github.com/yhirose/cpp-httplib/releases/tag/v0.37.2

This fixes numerous vulnerabilities:

- CVE-2026-21428:
    cpp-httplib is a C++11 single-file header-only cross platform
    HTTP/HTTPS library. Prior to version 0.30.0, the ``write_headers``
    function does not check for CR & LF characters in user supplied
    headers, allowing untrusted header value to escape header lines. This
    vulnerability allows attackers to add extra headers, modify request
    body unexpectedly & trigger an SSRF attack. When combined with a
    server that supports http1.1 pipelining (springboot, python twisted
    etc), this can be used for server side request forgery (SSRF). Version
    0.30.0 fixes this issue.
    https://www.cve.org/CVERecord?id=CVE-2026-21428

- CVE-2026-22776:
    cpp-httplib is a C++11 single-file header-only cross platform
    HTTP/HTTPS library. Prior to version 0.30.1, a Denial of Service (DoS)
    vulnerability exists in cpp-httplib due to the unsafe handling of
    compressed HTTP request bodies (Content-Encoding: gzip, br, etc.). The
    library validates the payload_max_length against the compressed data
    size received from the network, but does not limit the size of the
    decompressed data stored in memory.
    https://www.cve.org/CVERecord?id=CVE-2026-22776

- CVE-2026-28434:
    cpp-httplib is a C++11 single-file header-only cross platform
    HTTP/HTTPS library. Prior to 0.35.0, when a request handler throws a
    C++ exception and the application has not registered a custom
    exception handler via set_exception_handler(), the library catches the
    exception and writes its message directly into the HTTP response as a
    header named EXCEPTION_WHAT. This header is sent to whoever made the
    request, with no authentication check and no special configuration
    required to trigger it. The behavior is on by default. A developer who
    does not know to opt in to set_exception_handler() will ship a server
    that leaks internal exception messages to any client. This
    vulnerability is fixed in 0.35.0.
    https://www.cve.org/CVERecord?id=CVE-2026-28434

- CVE-2026-28435:
    cpp-httplib is a C++11 single-file header-only cross platform
    HTTP/HTTPS library. Prior to 0.35.0, cpp-httplib (httplib.h) does not
    enforce Server::set_payload_max_length() on the decompressed request
    body when using HandlerWithContentReader (streaming ContentReader)
    with Content-Encoding: gzip (or other supported encodings). A small
    compressed payload can expand beyond the configured payload limit and
    be processed by the application, enabling a payload size limit bypass
    and potential denial of service (CPU/memory exhaustion). This
    vulnerability is fixed in 0.35.0.
    https://www.cve.org/CVERecord?id=CVE-2026-28435

- CVE-2026-29076:
    cpp-httplib is a C++11 single-file header-only cross platform
    HTTP/HTTPS library. Prior to version 0.37.0, cpp-httplib uses
    std::regex (libstdc++) to parse RFC 5987 encoded filename* values in
    multipart Content-Disposition headers. The regex engine in libstdc++
    implements backtracking via deep recursion, consuming one stack frame
    per input character. An attacker can send a single HTTP POST request
    with a crafted filename* parameter that causes uncontrolled stack
    growth, resulting in a stack overflow (SIGSEGV) that crashes the
    server process. This issue has been patched in version 0.37.0.
    https://www.cve.org/CVERecord?id=CVE-2026-29076

- CVE-2026-31870:
    cpp-httplib is a C++11 single-file header-only cross platform
    HTTP/HTTPS library. Prior to 0.37.1, when a cpp-httplib client uses
    the streaming API (httplib::stream::Get, httplib::stream::Post, etc.),
    the library calls std::stoull() directly on the Content-Length header
    value received from the server with no input validation and no
    exception handling. std::stoull throws std::invalid_argument for non-
    numeric strings and std::out_of_range for values exceeding ULLONG_MAX.
    Since nothing catches these exceptions, the C++ runtime calls
    std::terminate(), which kills the process with SIGABRT. Any server the
    client connects to — including servers reached via HTTP redirects,
    third-party APIs, or man-in-the-middle positions can crash the client
    application with a single HTTP response. No authentication is
    required. No interaction from the end user is required. The crash is
    deterministic and immediate. This vulnerability is fixed in 0.37.1.
    https://www.cve.org/CVERecord?id=CVE-2026-31870

- CVE-2026-32627:
    cpp-httplib is a C++11 single-file header-only cross platform
    HTTP/HTTPS library. Prior to 0.37.2, when a cpp-httplib client is
    configured with a proxy and set_follow_location(true), any HTTPS
    redirect it follows will have TLS certificate and hostname
    verification silently disabled on the new connection. The client will
    accept any certificate presented by the redirect target — expired,
    self-signed, or forged — without raising an error or notifying the
    application. A network attacker in a position to return a redirect
    response can fully intercept the follow-up HTTPS connection, including
    any credentials or session tokens in flight. This vulnerability is
    fixed in 0.37.2.
    https://www.cve.org/CVERecord?id=CVE-2026-32627

Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
---
 package/cpp-httplib/cpp-httplib.hash | 2 +-
 package/cpp-httplib/cpp-httplib.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/cpp-httplib/cpp-httplib.hash b/package/cpp-httplib/cpp-httplib.hash
index 904bca6d02..076b30cfa1 100644
--- a/package/cpp-httplib/cpp-httplib.hash
+++ b/package/cpp-httplib/cpp-httplib.hash
@@ -1,3 +1,3 @@
 # Locally computed:
-sha256  cc57615af359efda816122dcfca37bcbb9f1591396f50a1fd1ad70bbe6050581  cpp-httplib-0.27.0.tar.gz
+sha256  909766cd7697153c9e588b0f96defe1868b7bb11d94b8d4f0c83bb4875bc9066  cpp-httplib-0.37.2.tar.gz
 sha256  4b45cbe16d7b71b89ae6127e26e0d90a029198ca5e958ad8e3d0b8bbed364d8b  LICENSE
diff --git a/package/cpp-httplib/cpp-httplib.mk b/package/cpp-httplib/cpp-httplib.mk
index ed5c33d2a5..56e8c27fc4 100644
--- a/package/cpp-httplib/cpp-httplib.mk
+++ b/package/cpp-httplib/cpp-httplib.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-CPP_HTTPLIB_VERSION = 0.27.0
+CPP_HTTPLIB_VERSION = 0.37.2
 CPP_HTTPLIB_SITE = $(call github,yhirose,cpp-httplib,v$(CPP_HTTPLIB_VERSION))
 CPP_HTTPLIB_LICENSE = MIT
 CPP_HTTPLIB_LICENSE_FILES = LICENSE
-- 
2.53.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 2/2] package/cpp-httplib: bump to v0.40.0

[Titouan Christophe via buildroot]

See the release notes:

- https://github.com/yhirose/cpp-httplib/releases/tag/v0.38.0
- https://github.com/yhirose/cpp-httplib/releases/tag/v0.39.0
- https://github.com/yhirose/cpp-httplib/releases/tag/v0.40.0

Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
---
 package/cpp-httplib/cpp-httplib.hash | 2 +-
 package/cpp-httplib/cpp-httplib.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/cpp-httplib/cpp-httplib.hash b/package/cpp-httplib/cpp-httplib.hash
index 076b30cfa1..eb2b77bcd8 100644
--- a/package/cpp-httplib/cpp-httplib.hash
+++ b/package/cpp-httplib/cpp-httplib.hash
@@ -1,3 +1,3 @@
 # Locally computed:
-sha256  909766cd7697153c9e588b0f96defe1868b7bb11d94b8d4f0c83bb4875bc9066  cpp-httplib-0.37.2.tar.gz
+sha256  b52ecaebf0f94086c8b3305650412359d920c5267f6d9ce87f883198783af678  cpp-httplib-0.40.0.tar.gz
 sha256  4b45cbe16d7b71b89ae6127e26e0d90a029198ca5e958ad8e3d0b8bbed364d8b  LICENSE
diff --git a/package/cpp-httplib/cpp-httplib.mk b/package/cpp-httplib/cpp-httplib.mk
index 56e8c27fc4..5cc60565c6 100644
--- a/package/cpp-httplib/cpp-httplib.mk
+++ b/package/cpp-httplib/cpp-httplib.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-CPP_HTTPLIB_VERSION = 0.37.2
+CPP_HTTPLIB_VERSION = 0.40.0
 CPP_HTTPLIB_SITE = $(call github,yhirose,cpp-httplib,v$(CPP_HTTPLIB_VERSION))
 CPP_HTTPLIB_LICENSE = MIT
 CPP_HTTPLIB_LICENSE_FILES = LICENSE
-- 
2.53.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/2] package/cpp-httplib: security bump to v0.37.2

[Julien Olivain via buildroot]

On 30/03/2026 17:06, Titouan Christophe via buildroot wrote:
[...]
> Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>

Series applied to master, thanks.
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 2/2] package/cpp-httplib: bump to v0.40.0

[Thomas Perale via buildroot]

In reply of:
> See the release notes:
> 
> - https://github.com/yhirose/cpp-httplib/releases/tag/v0.38.0
> - https://github.com/yhirose/cpp-httplib/releases/tag/v0.39.0
> - https://github.com/yhirose/cpp-httplib/releases/tag/v0.40.0
> 
> Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>

Applied to 2025.02.x & 2026.02.x. Thanks

> ---
>  package/cpp-httplib/cpp-httplib.hash | 2 +-
>  package/cpp-httplib/cpp-httplib.mk   | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/package/cpp-httplib/cpp-httplib.hash b/package/cpp-httplib/cpp-httplib.hash
> index 076b30cfa1..eb2b77bcd8 100644
> --- a/package/cpp-httplib/cpp-httplib.hash
> +++ b/package/cpp-httplib/cpp-httplib.hash
> @@ -1,3 +1,3 @@
>  # Locally computed:
> -sha256  909766cd7697153c9e588b0f96defe1868b7bb11d94b8d4f0c83bb4875bc9066  cpp-httplib-0.37.2.tar.gz
> +sha256  b52ecaebf0f94086c8b3305650412359d920c5267f6d9ce87f883198783af678  cpp-httplib-0.40.0.tar.gz
>  sha256  4b45cbe16d7b71b89ae6127e26e0d90a029198ca5e958ad8e3d0b8bbed364d8b  LICENSE
> diff --git a/package/cpp-httplib/cpp-httplib.mk b/package/cpp-httplib/cpp-httplib.mk
> index 56e8c27fc4..5cc60565c6 100644
> --- a/package/cpp-httplib/cpp-httplib.mk
> +++ b/package/cpp-httplib/cpp-httplib.mk
> @@ -4,7 +4,7 @@
>  #
>  ################################################################################
>  
> -CPP_HTTPLIB_VERSION = 0.37.2
> +CPP_HTTPLIB_VERSION = 0.40.0
>  CPP_HTTPLIB_SITE = $(call github,yhirose,cpp-httplib,v$(CPP_HTTPLIB_VERSION))
>  CPP_HTTPLIB_LICENSE = MIT
>  CPP_HTTPLIB_LICENSE_FILES = LICENSE
> -- 
> 2.53.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/2] package/cpp-httplib: security bump to v0.37.2

[Thomas Perale via buildroot]

In reply of:
> See the release notes of intermediate versions:
> - https://github.com/yhirose/cpp-httplib/releases/tag/v0.28.0
> - https://github.com/yhirose/cpp-httplib/releases/tag/v0.29.0
> - https://github.com/yhirose/cpp-httplib/releases/tag/v0.30.0
> - https://github.com/yhirose/cpp-httplib/releases/tag/v0.30.1
> - https://github.com/yhirose/cpp-httplib/releases/tag/v0.30.2
> - https://github.com/yhirose/cpp-httplib/releases/tag/v0.31.0
> - https://github.com/yhirose/cpp-httplib/releases/tag/v0.32.0
> - https://github.com/yhirose/cpp-httplib/releases/tag/v0.33.0
> - https://github.com/yhirose/cpp-httplib/releases/tag/v0.33.1
> - https://github.com/yhirose/cpp-httplib/releases/tag/v0.34.0
> - https://github.com/yhirose/cpp-httplib/releases/tag/v0.35.0
> - https://github.com/yhirose/cpp-httplib/releases/tag/v0.36.0
> - https://github.com/yhirose/cpp-httplib/releases/tag/v0.37.0
> - https://github.com/yhirose/cpp-httplib/releases/tag/v0.37.1
> - https://github.com/yhirose/cpp-httplib/releases/tag/v0.37.2
> 
> This fixes numerous vulnerabilities:
> 
> - CVE-2026-21428:
>     cpp-httplib is a C++11 single-file header-only cross platform
>     HTTP/HTTPS library. Prior to version 0.30.0, the ``write_headers``
>     function does not check for CR & LF characters in user supplied
>     headers, allowing untrusted header value to escape header lines. This
>     vulnerability allows attackers to add extra headers, modify request
>     body unexpectedly & trigger an SSRF attack. When combined with a
>     server that supports http1.1 pipelining (springboot, python twisted
>     etc), this can be used for server side request forgery (SSRF). Version
>     0.30.0 fixes this issue.
>     https://www.cve.org/CVERecord?id=CVE-2026-21428
> 
> - CVE-2026-22776:
>     cpp-httplib is a C++11 single-file header-only cross platform
>     HTTP/HTTPS library. Prior to version 0.30.1, a Denial of Service (DoS)
>     vulnerability exists in cpp-httplib due to the unsafe handling of
>     compressed HTTP request bodies (Content-Encoding: gzip, br, etc.). The
>     library validates the payload_max_length against the compressed data
>     size received from the network, but does not limit the size of the
>     decompressed data stored in memory.
>     https://www.cve.org/CVERecord?id=CVE-2026-22776
> 
> - CVE-2026-28434:
>     cpp-httplib is a C++11 single-file header-only cross platform
>     HTTP/HTTPS library. Prior to 0.35.0, when a request handler throws a
>     C++ exception and the application has not registered a custom
>     exception handler via set_exception_handler(), the library catches the
>     exception and writes its message directly into the HTTP response as a
>     header named EXCEPTION_WHAT. This header is sent to whoever made the
>     request, with no authentication check and no special configuration
>     required to trigger it. The behavior is on by default. A developer who
>     does not know to opt in to set_exception_handler() will ship a server
>     that leaks internal exception messages to any client. This
>     vulnerability is fixed in 0.35.0.
>     https://www.cve.org/CVERecord?id=CVE-2026-28434
> 
> - CVE-2026-28435:
>     cpp-httplib is a C++11 single-file header-only cross platform
>     HTTP/HTTPS library. Prior to 0.35.0, cpp-httplib (httplib.h) does not
>     enforce Server::set_payload_max_length() on the decompressed request
>     body when using HandlerWithContentReader (streaming ContentReader)
>     with Content-Encoding: gzip (or other supported encodings). A small
>     compressed payload can expand beyond the configured payload limit and
>     be processed by the application, enabling a payload size limit bypass
>     and potential denial of service (CPU/memory exhaustion). This
>     vulnerability is fixed in 0.35.0.
>     https://www.cve.org/CVERecord?id=CVE-2026-28435
> 
> - CVE-2026-29076:
>     cpp-httplib is a C++11 single-file header-only cross platform
>     HTTP/HTTPS library. Prior to version 0.37.0, cpp-httplib uses
>     std::regex (libstdc++) to parse RFC 5987 encoded filename* values in
>     multipart Content-Disposition headers. The regex engine in libstdc++
>     implements backtracking via deep recursion, consuming one stack frame
>     per input character. An attacker can send a single HTTP POST request
>     with a crafted filename* parameter that causes uncontrolled stack
>     growth, resulting in a stack overflow (SIGSEGV) that crashes the
>     server process. This issue has been patched in version 0.37.0.
>     https://www.cve.org/CVERecord?id=CVE-2026-29076
> 
> - CVE-2026-31870:
>     cpp-httplib is a C++11 single-file header-only cross platform
>     HTTP/HTTPS library. Prior to 0.37.1, when a cpp-httplib client uses
>     the streaming API (httplib::stream::Get, httplib::stream::Post, etc.),
>     the library calls std::stoull() directly on the Content-Length header
>     value received from the server with no input validation and no
>     exception handling. std::stoull throws std::invalid_argument for non-
>     numeric strings and std::out_of_range for values exceeding ULLONG_MAX.
>     Since nothing catches these exceptions, the C++ runtime calls
>     std::terminate(), which kills the process with SIGABRT. Any server the
>     client connects to — including servers reached via HTTP redirects,
>     third-party APIs, or man-in-the-middle positions can crash the client
>     application with a single HTTP response. No authentication is
>     required. No interaction from the end user is required. The crash is
>     deterministic and immediate. This vulnerability is fixed in 0.37.1.
>     https://www.cve.org/CVERecord?id=CVE-2026-31870
> 
> - CVE-2026-32627:
>     cpp-httplib is a C++11 single-file header-only cross platform
>     HTTP/HTTPS library. Prior to 0.37.2, when a cpp-httplib client is
>     configured with a proxy and set_follow_location(true), any HTTPS
>     redirect it follows will have TLS certificate and hostname
>     verification silently disabled on the new connection. The client will
>     accept any certificate presented by the redirect target — expired,
>     self-signed, or forged — without raising an error or notifying the
>     application. A network attacker in a position to return a redirect
>     response can fully intercept the follow-up HTTPS connection, including
>     any credentials or session tokens in flight. This vulnerability is
>     fixed in 0.37.2.
>     https://www.cve.org/CVERecord?id=CVE-2026-32627
> 
> Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>

Applied to 2025.02.x & 2026.02.x. Thanks

> ---
>  package/cpp-httplib/cpp-httplib.hash | 2 +-
>  package/cpp-httplib/cpp-httplib.mk   | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/package/cpp-httplib/cpp-httplib.hash b/package/cpp-httplib/cpp-httplib.hash
> index 904bca6d02..076b30cfa1 100644
> --- a/package/cpp-httplib/cpp-httplib.hash
> +++ b/package/cpp-httplib/cpp-httplib.hash
> @@ -1,3 +1,3 @@
>  # Locally computed:
> -sha256  cc57615af359efda816122dcfca37bcbb9f1591396f50a1fd1ad70bbe6050581  cpp-httplib-0.27.0.tar.gz
> +sha256  909766cd7697153c9e588b0f96defe1868b7bb11d94b8d4f0c83bb4875bc9066  cpp-httplib-0.37.2.tar.gz
>  sha256  4b45cbe16d7b71b89ae6127e26e0d90a029198ca5e958ad8e3d0b8bbed364d8b  LICENSE
> diff --git a/package/cpp-httplib/cpp-httplib.mk b/package/cpp-httplib/cpp-httplib.mk
> index ed5c33d2a5..56e8c27fc4 100644
> --- a/package/cpp-httplib/cpp-httplib.mk
> +++ b/package/cpp-httplib/cpp-httplib.mk
> @@ -4,7 +4,7 @@
>  #
>  ################################################################################
>  
> -CPP_HTTPLIB_VERSION = 0.27.0
> +CPP_HTTPLIB_VERSION = 0.37.2
>  CPP_HTTPLIB_SITE = $(call github,yhirose,cpp-httplib,v$(CPP_HTTPLIB_VERSION))
>  CPP_HTTPLIB_LICENSE = MIT
>  CPP_HTTPLIB_LICENSE_FILES = LICENSE
> -- 
> 2.53.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot