{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22776", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-09T18:27:19.388Z", "datePublished": "2026-01-12T18:18:01.527Z", "dateUpdated": "2026-01-12T18:49:59.317Z"}, "containers": {"cna": {"title": "cpp-httplib vulnerable to a denial of service (DOS) using a zip bomb", "problemTypes": [{"descriptions": [{"cweId": "CWE-409", "lang": "en", "description": "CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-h934-98h4-j43q", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-h934-98h4-j43q"}, {"name": "https://github.com/yhirose/cpp-httplib/commit/2e2e47bab1ae6a853476eecbc4bf279dd1fef792", "tags": ["x_refsource_MISC"], "url": "https://github.com/yhirose/cpp-httplib/commit/2e2e47bab1ae6a853476eecbc4bf279dd1fef792"}], "affected": [{"vendor": "yhirose", "product": "cpp-httplib", "versions": [{"version": "< 0.30.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-12T18:18:01.527Z"}, "descriptions": [{"lang": "en", "value": "cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.1, a Denial of Service (DoS) vulnerability exists in cpp-httplib due to the unsafe handling of compressed HTTP request bodies (Content-Encoding: gzip, br, etc.). The library validates the payload_max_length against the compressed data size received from the network, but does not limit the size of the decompressed data stored in memory."}], "source": {"advisory": "GHSA-h934-98h4-j43q", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-12T18:49:48.624328Z", "id": "CVE-2026-22776", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-12T18:49:59.317Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22776", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-12T18:49:48.624328Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-12T18:49:53.180Z"}}], "cna": {"title": "cpp-httplib vulnerable to a denial of service (DOS) using a zip bomb", "source": {"advisory": "GHSA-h934-98h4-j43q", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "yhirose", "product": "cpp-httplib", "versions": [{"status": "affected", "version": "< 0.30.1"}]}], "references": [{"url": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-h934-98h4-j43q", "name": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-h934-98h4-j43q", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/yhirose/cpp-httplib/commit/2e2e47bab1ae6a853476eecbc4bf279dd1fef792", "name": "https://github.com/yhirose/cpp-httplib/commit/2e2e47bab1ae6a853476eecbc4bf279dd1fef792", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.1, a Denial of Service (DoS) vulnerability exists in cpp-httplib due to the unsafe handling of compressed HTTP request bodies (Content-Encoding: gzip, br, etc.). The library validates the payload_max_length against the compressed data size received from the network, but does not limit the size of the decompressed data stored in memory."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-409", "description": "CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-12T18:18:01.527Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22776", "state": "PUBLISHED", "dateUpdated": "2026-01-12T18:49:59.317Z", "dateReserved": "2026-01-09T18:27:19.388Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-12T18:18:01.527Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:yhirose:cpp-httplib:*:*:*:*:*:*:*:*", "matchCriteriaId": "CFD0603E-49FC-455F-AEE6-0BF4ADCC6E54", "versionEndExcluding": "0.30.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.1, a Denial of Service (DoS) vulnerability exists in cpp-httplib due to the unsafe handling of compressed HTTP request bodies (Content-Encoding: gzip, br, etc.). The library validates the payload_max_length against the compressed data size received from the network, but does not limit the size of the decompressed data stored in memory."}], "id": "CVE-2026-22776", "lastModified": "2026-01-15T22:43:10.097", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-12T19:16:03.630", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/yhirose/cpp-httplib/commit/2e2e47bab1ae6a853476eecbc4bf279dd1fef792"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-h934-98h4-j43q"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-409"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "cpp-httplib: cpp-httplib: Denial of Service due to excessive memory usage from compressed HTTP request bodies", "id": "2428732", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2428732"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-409", "details": ["cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.1, a Denial of Service (DoS) vulnerability exists in cpp-httplib due to the unsafe handling of compressed HTTP request bodies (Content-Encoding: gzip, br, etc.). The library validates the payload_max_length against the compressed data size received from the network, but does not limit the size of the decompressed data stored in memory.", "A flaw was found in cpp-httplib, a C++ HTTP/HTTPS library. A remote attacker can exploit this vulnerability by sending a specially crafted compressed HTTP request. While the library checks the size of the compressed data, it does not properly limit the size of the data after decompression, leading to excessive memory consumption. This can result in a Denial of Service (DoS), making the affected system unavailable."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-22776", "public_date": "2026-01-12T18:18:01Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-22776\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-22776\nhttps://github.com/yhirose/cpp-httplib/commit/2e2e47bab1ae6a853476eecbc4bf279dd1fef792\nhttps://github.com/yhirose/cpp-httplib/security/advisories/GHSA-h934-98h4-j43q"], "statement": "This vulnerability is rated Important for Red Hat because it can lead to a denial of service in applications utilizing the cpp-httplib library to process compressed HTTP request bodies. The flaw occurs due to the library's failure to limit the size of decompressed data, allowing a small compressed payload to consume excessive memory.", "threat_severity": "Important"}

{"analysis": {"en": {"generated_at": "2026-04-18T16:28:31.376289+00:00", "value": {"mitigation_remediation": ["Upgrade cpp-httplib to version 0.30.1 or later, which limits decompressed request sizes", "Add application\u2011level validation to reject or truncate compressed request bodies that exceed a safe decompressed size threshold", "Configure your web server or API gateway to enforce maximum HTTP request size and reject oversized compressed payloads before they reach the application"], "summary": {"action": "Apply Patch", "impact": "Denial of Service (DoS)"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all deployments of yhirose:cpp\u2011httplib built with a version earlier than 0.30.1, regardless of operating system, because the library is header\u2011only and used wherever the header is included in an application.", "description_and_impact": "cpp-httplib is a header\u2011only C++11 HTTP/HTTPS library. The defect lies in its handling of compressed HTTP request bodies. While the library checks that the compressed payload does not exceed a preset maximum length, it does not impose any limit on the size of the data after decompression. An attacker can therefore send a gzip or br encoded body that expands dramatically when decompressed, causing excessive memory allocation and ultimately exhausting the application\u2019s resources.", "risk_and_exploitability": "The vulnerability is rated with a CVSS score of 8.7, indicating a high severity risk. The EPSS score is reported as less than 1%, suggesting a low probability of exploitation at the current time. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the most likely attack vector is remote: an adversary can target a server or service that includes the vulnerable library by sending a specially crafted HTTP request with a compressed body that expands to consume large amounts of memory, leading to a denial of service by exhausting system resources and affecting application availability."}}}}, "created": "2026-01-13T09:27:24.882306+00:00", "updated": "2026-04-18T16:30:05.092135+00:00", "vendors": ["yhirose", "yhirose$PRODUCT$cpp-httplib"]}