cpp-httplib Memory Exhaustion Vulnerability in Chunked Requests Allowing Denial-of-Service

A denial-of-service vulnerability has been identified in cpp-httplib, a C++ header-only HTTP/HTTPS server and client library, in versions prior to 0.20.1. The issue arises because the library does not properly enforce size limits on incoming request bodies when 'Transfer-Encoding: chunked' is used or when the 'Content-Length' header is absent. This flaw allows remote attackers to send chunked requests without the required terminating zero-length chunk, leading to uncontrolled memory allocation on the server. Consequently, this can cause system memory exhaustion, resulting in a server crash or unresponsiveness. The vulnerability exists before request routing is completed, affecting all requests, including those to non-existent paths.

Impact

Exploitation of this vulnerability causes excessive memory consumption on the server, leading to a crash or unresponsiveness. On multi-tenant systems, this resource exhaustion can impact other applications by depleting system resources.

Reproduction

The vulnerability can be reproduced by sending a chunked HTTP request without the final zero-length chunk. This can be done using a custom HTTP client that maintains the connection open and continuously sends data chunks, effectively bypassing the library's payload size limits. The server can be set up to listen for incoming requests, and once the vulnerability is triggered, the server will begin to consume excessive amounts of memory until it crashes or becomes unresponsive.

Remediation

Users can update to cpp-httplib version 0.20.1 or later, which addresses the vulnerability by enforcing size limits during the parsing of chunked requests. If an update is not immediately feasible, a reverse proxy such as Nginx or HAProxy can be deployed in front of the cpp-httplib application to enforce maximum request body size limits, blocking excessively large requests before they reach the vulnerable library code.