cpp-httplib Denial-of-Service Vulnerability via Compressed HTTP Request Bodies

A denial-of-service vulnerability has been identified in cpp-httplib, a cross-platform HTTP/HTTPS library for C++11. This vulnerability, present in versions prior to 0.30.1, arises from improper handling of compressed HTTP request bodies, specifically those using Content-Encoding types like gzip and brotli. The library checks the maximum payload length against the size of the compressed data received, but fails to restrict the size of the decompressed data stored in memory. As a result, an attacker can exploit this flaw by sending a 'zip bomb'—a small file that expands to a large size when decompressed—causing the server to run out of memory and crash, even if a reasonable payload size limit is set.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing the server to exhaust available memory and crash.

Reproduction

The vulnerability can be reproduced by sending a compressed 'zip bomb' payload to a server using cpp-httplib version 0.29.0 or earlier. The server should be configured to handle compressed data but without specific safeguards against such attacks. Once the payload is received, the server will decompress the data into memory, causing a rapid increase in memory usage that can lead to an out-of-memory crash.

Remediation

Users can upgrade to cpp-httplib version 0.30.1 or later, where this vulnerability has been addressed.