{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29076", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-03T20:51:43.483Z", "datePublished": "2026-03-07T16:08:56.048Z", "dateUpdated": "2026-03-09T18:25:58.815Z"}, "containers": {"cna": {"title": "cpp-httplib: Stack Overflow Denial of Service (DoS) via std::regex in multipart filename parsing", "problemTypes": [{"descriptions": [{"cweId": "CWE-674", "lang": "en", "description": "CWE-674: Uncontrolled Recursion", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-1333", "lang": "en", "description": "CWE-1333: Inefficient Regular Expression Complexity", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-qq6v-r583-3h69", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-qq6v-r583-3h69"}, {"name": "https://github.com/yhirose/cpp-httplib/commit/de296af3eb5b0d5c116470e033db900e4812c5e6", "tags": ["x_refsource_MISC"], "url": "https://github.com/yhirose/cpp-httplib/commit/de296af3eb5b0d5c116470e033db900e4812c5e6"}, {"name": "https://github.com/yhirose/cpp-httplib/releases/tag/v0.37.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/yhirose/cpp-httplib/releases/tag/v0.37.0"}], "affected": [{"vendor": "yhirose", "product": "cpp-httplib", "versions": [{"version": "< 0.37.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-07T16:08:56.048Z"}, "descriptions": [{"lang": "en", "value": "cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.37.0, cpp-httplib uses std::regex (libstdc++) to parse RFC 5987 encoded filename* values in multipart Content-Disposition headers. The regex engine in libstdc++ implements backtracking via deep recursion, consuming one stack frame per input character. An attacker can send a single HTTP POST request with a crafted filename* parameter that causes uncontrolled stack growth, resulting in a stack overflow (SIGSEGV) that crashes the server process. This issue has been patched in version 0.37.0."}], "source": {"advisory": "GHSA-qq6v-r583-3h69", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T17:52:24.982073Z", "id": "CVE-2026-29076", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T18:25:58.815Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29076", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T17:52:24.982073Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T17:52:26.136Z"}}], "cna": {"title": "cpp-httplib: Stack Overflow Denial of Service (DoS) via std::regex in multipart filename parsing", "source": {"advisory": "GHSA-qq6v-r583-3h69", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "yhirose", "product": "cpp-httplib", "versions": [{"status": "affected", "version": "< 0.37.0"}]}], "references": [{"url": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-qq6v-r583-3h69", "name": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-qq6v-r583-3h69", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/yhirose/cpp-httplib/commit/de296af3eb5b0d5c116470e033db900e4812c5e6", "name": "https://github.com/yhirose/cpp-httplib/commit/de296af3eb5b0d5c116470e033db900e4812c5e6", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/yhirose/cpp-httplib/releases/tag/v0.37.0", "name": "https://github.com/yhirose/cpp-httplib/releases/tag/v0.37.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.37.0, cpp-httplib uses std::regex (libstdc++) to parse RFC 5987 encoded filename* values in multipart Content-Disposition headers. The regex engine in libstdc++ implements backtracking via deep recursion, consuming one stack frame per input character. An attacker can send a single HTTP POST request with a crafted filename* parameter that causes uncontrolled stack growth, resulting in a stack overflow (SIGSEGV) that crashes the server process. This issue has been patched in version 0.37.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-674", "description": "CWE-674: Uncontrolled Recursion"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1333", "description": "CWE-1333: Inefficient Regular Expression Complexity"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-07T16:08:56.048Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29076", "state": "PUBLISHED", "dateUpdated": "2026-03-09T18:25:58.815Z", "dateReserved": "2026-03-03T20:51:43.483Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-07T16:08:56.048Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:yhirose:cpp-httplib:*:*:*:*:*:*:*:*", "matchCriteriaId": "DF662624-3D9C-43DE-BAA8-29A734A27040", "versionEndExcluding": "0.37.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.37.0, cpp-httplib uses std::regex (libstdc++) to parse RFC 5987 encoded filename* values in multipart Content-Disposition headers. The regex engine in libstdc++ implements backtracking via deep recursion, consuming one stack frame per input character. An attacker can send a single HTTP POST request with a crafted filename* parameter that causes uncontrolled stack growth, resulting in a stack overflow (SIGSEGV) that crashes the server process. This issue has been patched in version 0.37.0."}, {"lang": "es", "value": "cpp-httplib es una biblioteca HTTP/HTTPS C++11 de un solo archivo, solo de encabezado y multiplataforma. Antes de la versi\u00f3n 0.37.0, cpp-httplib utiliza std::regex (libstdc++) para analizar valores filename* codificados seg\u00fan RFC 5987 en encabezados Content-Disposition multipart. El motor de expresiones regulares en libstdc++ implementa retroceso mediante recursi\u00f3n profunda, consumiendo un marco de pila por cada car\u00e1cter de entrada. Un atacante puede enviar una \u00fanica solicitud HTTP POST con un par\u00e1metro filename* manipulado que causa un crecimiento descontrolado de la pila, resultando en un desbordamiento de pila (SIGSEGV) que bloquea el proceso del servidor. Este problema ha sido parcheado en la versi\u00f3n 0.37.0."}], "id": "CVE-2026-29076", "lastModified": "2026-03-09T21:19:35.750", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-07T16:15:54.193", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/yhirose/cpp-httplib/commit/de296af3eb5b0d5c116470e033db900e4812c5e6"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/yhirose/cpp-httplib/releases/tag/v0.37.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-qq6v-r583-3h69"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-674"}, {"lang": "en", "value": "CWE-1333"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "cpp-httplib: cpp-httplib: Denial of Service via crafted HTTP POST request", "id": "2445491", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445491"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-1333", "details": ["A flaw was found in cpp-httplib, a C++11 single-file header-only cross-platform HTTP/HTTPS library. A remote attacker can exploit this vulnerability by sending a specially crafted HTTP POST request with a malicious filename* parameter in the Content-Disposition header. This triggers uncontrolled stack growth due to the std::regex engine's deep recursion, leading to a stack overflow and causing the server process to crash, resulting in a Denial of Service (DoS)."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-29076", "public_date": "2026-03-07T16:08:56Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-29076\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-29076\nhttps://github.com/yhirose/cpp-httplib/commit/de296af3eb5b0d5c116470e033db900e4812c5e6\nhttps://github.com/yhirose/cpp-httplib/releases/tag/v0.37.0\nhttps://github.com/yhirose/cpp-httplib/security/advisories/GHSA-qq6v-r583-3h69"], "statement": "The vulnerability CVE-2026-29076 is of MODERATE impact. It affects applications utilizing the `cpp-httplib` library to parse multipart `Content-Disposition` headers, specifically when handling `filename*` values. A remote attacker can send a crafted HTTP POST request, leading to a stack overflow and denial of service in the server process. This issue primarily impacts services that accept and process such multipart requests.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.37.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "cpp-httplib", "source": "cna", "vendor": "yhirose"}, "product": "cpp-httplib", "vendor": "yhirose"}], "analysis": {"en": {"generated_at": "2026-04-16T10:50:42.401556+00:00", "value": {"mitigation_remediation": ["Upgrade cpp-httplib to version 0.37.0 or later, which removes the vulnerable regex-based parsing logic.", "If the application must continue using an older cpp-httplib release, refactor or wrap the multipart handling code to reject or sanitize filename* values before they reach the regex engine, limiting input length and preventing deep recursion.", "Implement runtime monitoring to detect SIGSEGV crashes and configure process resource limits (e.g., ulimit settings) to prevent a full stack overflow from exhausting system resources while remediation is applied."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service via stack overflow"}, "threat_synthesis": {"affected_systems": "All installations of the cpp-httplib single\u2011file header library version 0.36.0 and earlier, authored by yhirose, are affected. The library is commonly embedded in C++ projects that handle HTTP or HTTPS requests, and any process that employs multipart parsing with this library version is susceptible.\n", "description_and_impact": "The vulnerability arises from cpp-httplib\u2019s use of libstdc++\u2019s std::regex to parse RFC 5987 encoded filename* values in multipart Content-Disposition headers. The regex engine implements backtracking through deep recursion, consuming one stack frame per input character. An attacker can craft a filename* parameter that triggers uncontrolled recursion, leading to a stack overflow (SIGSEGV) that crashes the server process. The flaw is classified as Stack-based Buffer Overflow and Uncontrolled Recursion (CWE-1333 and CWE-674), resulting in a denial of service by terminating the application.\n", "risk_and_exploitability": "The CVSS score of 5.9 indicates moderate severity. The EPSS probability is less than 1%, suggesting a low likelihood of widespread exploitation, and the vulnerability is not listed in CISA\u2019s KEV catalog. Attackers would need network access to the application\u2019s HTTP interface to send a POST request with a malicious filename* value. Once the crafted request hits the vulnerable regex parser, the application crashes, causing a denial of service. "}}}}, "created": "2026-03-09T10:05:03.940028+00:00", "updated": "2026-04-16T11:00:10.637690+00:00", "vendors": ["yhirose", "yhirose$PRODUCT$cpp-httplib"]}