From: Thomas Perale via buildroot <buildroot@buildroot.org>
To: Titouan Christophe <titouan.christophe@mind.be>
Cc: Thomas Perale <thomas.perale@mind.be>, buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH 1/2] package/cpp-httplib: security bump to v0.37.2
Date: Tue, 14 Apr 2026 17:44:24 +0200 [thread overview]
Message-ID: <20260414154601.334977-1-thomas.perale@mind.be> (raw)
In-Reply-To: <20260330150605.300571-1-titouan.christophe@mind.be>
In reply of:
> See the release notes of intermediate versions:
> - https://github.com/yhirose/cpp-httplib/releases/tag/v0.28.0
> - https://github.com/yhirose/cpp-httplib/releases/tag/v0.29.0
> - https://github.com/yhirose/cpp-httplib/releases/tag/v0.30.0
> - https://github.com/yhirose/cpp-httplib/releases/tag/v0.30.1
> - https://github.com/yhirose/cpp-httplib/releases/tag/v0.30.2
> - https://github.com/yhirose/cpp-httplib/releases/tag/v0.31.0
> - https://github.com/yhirose/cpp-httplib/releases/tag/v0.32.0
> - https://github.com/yhirose/cpp-httplib/releases/tag/v0.33.0
> - https://github.com/yhirose/cpp-httplib/releases/tag/v0.33.1
> - https://github.com/yhirose/cpp-httplib/releases/tag/v0.34.0
> - https://github.com/yhirose/cpp-httplib/releases/tag/v0.35.0
> - https://github.com/yhirose/cpp-httplib/releases/tag/v0.36.0
> - https://github.com/yhirose/cpp-httplib/releases/tag/v0.37.0
> - https://github.com/yhirose/cpp-httplib/releases/tag/v0.37.1
> - https://github.com/yhirose/cpp-httplib/releases/tag/v0.37.2
>
> This fixes numerous vulnerabilities:
>
> - CVE-2026-21428:
> cpp-httplib is a C++11 single-file header-only cross platform
> HTTP/HTTPS library. Prior to version 0.30.0, the ``write_headers``
> function does not check for CR & LF characters in user supplied
> headers, allowing untrusted header value to escape header lines. This
> vulnerability allows attackers to add extra headers, modify request
> body unexpectedly & trigger an SSRF attack. When combined with a
> server that supports http1.1 pipelining (springboot, python twisted
> etc), this can be used for server side request forgery (SSRF). Version
> 0.30.0 fixes this issue.
> https://www.cve.org/CVERecord?id=CVE-2026-21428
>
> - CVE-2026-22776:
> cpp-httplib is a C++11 single-file header-only cross platform
> HTTP/HTTPS library. Prior to version 0.30.1, a Denial of Service (DoS)
> vulnerability exists in cpp-httplib due to the unsafe handling of
> compressed HTTP request bodies (Content-Encoding: gzip, br, etc.). The
> library validates the payload_max_length against the compressed data
> size received from the network, but does not limit the size of the
> decompressed data stored in memory.
> https://www.cve.org/CVERecord?id=CVE-2026-22776
>
> - CVE-2026-28434:
> cpp-httplib is a C++11 single-file header-only cross platform
> HTTP/HTTPS library. Prior to 0.35.0, when a request handler throws a
> C++ exception and the application has not registered a custom
> exception handler via set_exception_handler(), the library catches the
> exception and writes its message directly into the HTTP response as a
> header named EXCEPTION_WHAT. This header is sent to whoever made the
> request, with no authentication check and no special configuration
> required to trigger it. The behavior is on by default. A developer who
> does not know to opt in to set_exception_handler() will ship a server
> that leaks internal exception messages to any client. This
> vulnerability is fixed in 0.35.0.
> https://www.cve.org/CVERecord?id=CVE-2026-28434
>
> - CVE-2026-28435:
> cpp-httplib is a C++11 single-file header-only cross platform
> HTTP/HTTPS library. Prior to 0.35.0, cpp-httplib (httplib.h) does not
> enforce Server::set_payload_max_length() on the decompressed request
> body when using HandlerWithContentReader (streaming ContentReader)
> with Content-Encoding: gzip (or other supported encodings). A small
> compressed payload can expand beyond the configured payload limit and
> be processed by the application, enabling a payload size limit bypass
> and potential denial of service (CPU/memory exhaustion). This
> vulnerability is fixed in 0.35.0.
> https://www.cve.org/CVERecord?id=CVE-2026-28435
>
> - CVE-2026-29076:
> cpp-httplib is a C++11 single-file header-only cross platform
> HTTP/HTTPS library. Prior to version 0.37.0, cpp-httplib uses
> std::regex (libstdc++) to parse RFC 5987 encoded filename* values in
> multipart Content-Disposition headers. The regex engine in libstdc++
> implements backtracking via deep recursion, consuming one stack frame
> per input character. An attacker can send a single HTTP POST request
> with a crafted filename* parameter that causes uncontrolled stack
> growth, resulting in a stack overflow (SIGSEGV) that crashes the
> server process. This issue has been patched in version 0.37.0.
> https://www.cve.org/CVERecord?id=CVE-2026-29076
>
> - CVE-2026-31870:
> cpp-httplib is a C++11 single-file header-only cross platform
> HTTP/HTTPS library. Prior to 0.37.1, when a cpp-httplib client uses
> the streaming API (httplib::stream::Get, httplib::stream::Post, etc.),
> the library calls std::stoull() directly on the Content-Length header
> value received from the server with no input validation and no
> exception handling. std::stoull throws std::invalid_argument for non-
> numeric strings and std::out_of_range for values exceeding ULLONG_MAX.
> Since nothing catches these exceptions, the C++ runtime calls
> std::terminate(), which kills the process with SIGABRT. Any server the
> client connects to — including servers reached via HTTP redirects,
> third-party APIs, or man-in-the-middle positions can crash the client
> application with a single HTTP response. No authentication is
> required. No interaction from the end user is required. The crash is
> deterministic and immediate. This vulnerability is fixed in 0.37.1.
> https://www.cve.org/CVERecord?id=CVE-2026-31870
>
> - CVE-2026-32627:
> cpp-httplib is a C++11 single-file header-only cross platform
> HTTP/HTTPS library. Prior to 0.37.2, when a cpp-httplib client is
> configured with a proxy and set_follow_location(true), any HTTPS
> redirect it follows will have TLS certificate and hostname
> verification silently disabled on the new connection. The client will
> accept any certificate presented by the redirect target — expired,
> self-signed, or forged — without raising an error or notifying the
> application. A network attacker in a position to return a redirect
> response can fully intercept the follow-up HTTPS connection, including
> any credentials or session tokens in flight. This vulnerability is
> fixed in 0.37.2.
> https://www.cve.org/CVERecord?id=CVE-2026-32627
>
> Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Applied to 2025.02.x & 2026.02.x. Thanks
> ---
> package/cpp-httplib/cpp-httplib.hash | 2 +-
> package/cpp-httplib/cpp-httplib.mk | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/package/cpp-httplib/cpp-httplib.hash b/package/cpp-httplib/cpp-httplib.hash
> index 904bca6d02..076b30cfa1 100644
> --- a/package/cpp-httplib/cpp-httplib.hash
> +++ b/package/cpp-httplib/cpp-httplib.hash
> @@ -1,3 +1,3 @@
> # Locally computed:
> -sha256 cc57615af359efda816122dcfca37bcbb9f1591396f50a1fd1ad70bbe6050581 cpp-httplib-0.27.0.tar.gz
> +sha256 909766cd7697153c9e588b0f96defe1868b7bb11d94b8d4f0c83bb4875bc9066 cpp-httplib-0.37.2.tar.gz
> sha256 4b45cbe16d7b71b89ae6127e26e0d90a029198ca5e958ad8e3d0b8bbed364d8b LICENSE
> diff --git a/package/cpp-httplib/cpp-httplib.mk b/package/cpp-httplib/cpp-httplib.mk
> index ed5c33d2a5..56e8c27fc4 100644
> --- a/package/cpp-httplib/cpp-httplib.mk
> +++ b/package/cpp-httplib/cpp-httplib.mk
> @@ -4,7 +4,7 @@
> #
> ################################################################################
>
> -CPP_HTTPLIB_VERSION = 0.27.0
> +CPP_HTTPLIB_VERSION = 0.37.2
> CPP_HTTPLIB_SITE = $(call github,yhirose,cpp-httplib,v$(CPP_HTTPLIB_VERSION))
> CPP_HTTPLIB_LICENSE = MIT
> CPP_HTTPLIB_LICENSE_FILES = LICENSE
> --
> 2.53.0
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
prev parent reply other threads:[~2026-04-14 15:46 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-30 15:06 [Buildroot] [PATCH 1/2] package/cpp-httplib: security bump to v0.37.2 Titouan Christophe via buildroot
2026-03-30 15:06 ` [Buildroot] [PATCH 2/2] package/cpp-httplib: bump to v0.40.0 Titouan Christophe via buildroot
2026-04-14 15:44 ` Thomas Perale via buildroot
2026-03-30 20:07 ` [Buildroot] [PATCH 1/2] package/cpp-httplib: security bump to v0.37.2 Julien Olivain via buildroot
2026-04-14 15:44 ` Thomas Perale via buildroot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260414154601.334977-1-thomas.perale@mind.be \
--to=buildroot@buildroot.org \
--cc=thomas.perale@mind.be \
--cc=titouan.christophe@mind.be \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox