cpp-httplib Memory Exhaustion Vulnerability in Chunked Transfer-Encoding Requests

A vulnerability exists in cpp-httplib versions prior to 0.23.0, where incoming HTTP requests using Transfer-Encoding: chunked can lead to arbitrary memory allocation on the server. This behavior can cause memory exhaustion, potentially crashing the server or making it unresponsive. The issue arises because chunked requests can be sent without a defined size limit, allowing for an indefinite number of chunks to be processed. Additionally, this vulnerability is related to HTTP header smuggling, as trailer headers can be improperly merged into the main header collection, creating opportunities for cache poisoning and bypassing access controls.

Impact

Exploitation of this vulnerability can lead to a denial-of-service condition, where the server consumes excessive memory resources until it crashes or becomes unresponsive. On multi-tenant systems, this can disrupt other applications by exhausting available resources.

Reproduction

The vulnerability can be reproduced by sending an HTTP request with Transfer-Encoding: chunked, including an indefinite number of chunks. This can be done using a custom client that sends chunks without a final '0' chunk, effectively creating an infinite request that exhausts the server's memory. Alternatively, the vulnerability can be demonstrated by sending a chunked request with trailers that merge into the headers, exploiting the improper handling of trailer fields.

Remediation

Users are advised to update to cpp-httplib version 0.23.0, which addresses both the unbounded memory allocation in chunked requests and the HTTP header smuggling vulnerability by properly managing trailer headers.