cpp-httplib Content-Length Header Processing Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in cpp-httplib, a cross-platform HTTP/HTTPS library for C++11. The issue arises in versions through 0.37.0 when the streaming API is used. The library improperly handles the Content-Length header by directly passing its value to std::stoull() without validation or exception handling. This oversight allows malformed Content-Length values to trigger exceptions that, if unhandled, cause the application to terminate abruptly. The vulnerability can be exploited by any server the client connects to, including those accessed via HTTP redirects or third-party APIs. The crash is immediate and deterministic, with no authentication or user interaction required.

Impact

Exploitation of this vulnerability leads to an unhandled exception that causes the process to terminate, effectively crashing the application. This is a permanent denial-of-service condition on systems where the process is not automatically restarted. Even on systems that do restart the process, the vulnerability can be exploited repeatedly to keep the service down.

Reproduction

The vulnerability can be reproduced by using a cpp-httplib client application that makes a request using the streaming API, such as httplib::stream::Get or httplib::stream::Post. The server response must include a malformed Content-Length header, such as a non-numeric value or a value exceeding the maximum limit for unsigned long long integers. When the client receives this response, it will crash immediately due to the unhandled exception from std::stoull().

Remediation

Users can upgrade to cpp-httplib version 0.37.1 or later, where this vulnerability has been fixed.