cpp-httplib Payload Size Limit Bypass Vulnerability in Gzip-Encoded Streaming Content

A vulnerability in cpp-httplib prior to version 0.35.0 allows for a payload size limit bypass in the server's handling of streaming content that is gzip-encoded. The library does not properly enforce the maximum payload length on decompressed request bodies when using the ContentReader feature. As a result, a small compressed payload can expand significantly after decompression, exceeding the configured payload limit and potentially leading to denial-of-service conditions by exhausting CPU and memory resources. This issue is particularly problematic in environments with high concurrency or limited resources, where the increased resource consumption can cause significant disruptions.

Impact

Exploitation of this vulnerability allows for the bypass of configured payload size limits on decompressed request bodies, enabling the processing of oversized data. This can lead to increased CPU and memory usage, causing potential denial-of-service conditions, especially in constrained environments or under high load.

Reproduction

The vulnerability can be reproduced by sending a gzip-compressed payload that is small in size but expands significantly when decompressed. This can be done using a cpp-httplib server configured to use the ContentReader feature, which streams the request body. The server should have a payload size limit set, and the request should be sent with the Content-Encoding header set to gzip. The server will accept the oversized decompressed payload, bypassing the configured limit.

Remediation

Users can update to cpp-httplib version 0.35.0 or later, where this vulnerability has been fixed. If an immediate update is not possible, consider disabling request-body decompression for endpoints that use ContentReader, or manually enforcing a decompressed-size limit in the application callback.