cpp-httplib Denial-of-Service Vulnerability Due to Negative Chunk-Size in Transfer-Encoding

A denial-of-service vulnerability has been identified in cpp-httplib, a C++11 single-file header-only cross-platform HTTP/HTTPS library, in versions prior to 0.43.4. The issue arises in the ChunkedDecoder::read_payload function, where negative chunk-sizes in chunked Transfer-Encoding are improperly handled. The function uses std::strtoul() to parse chunk sizes, and due to the C standard's allowance for negative values to be interpreted as large unsigned numbers, a chunk-size of '-2' is accepted and treated as nearly 2^64 bytes. This misinterpretation leads to unbounded memory allocation, causing the process to crash. The vulnerability is exacerbated by the library's only validation check, which rejects only the maximum unsigned value, allowing other negative values to pass through and be exploited.

Impact

Exploitation of this vulnerability causes a process crash due to out-of-memory conditions, disrupting any service provided by the application. The crash is immediate and permanent, as the process is terminated, and with multiple parallel connections, the server can be brought down within 2 to 3 seconds.

Reproduction

The vulnerability can be reproduced by sending an HTTP POST request with 'Transfer-Encoding: chunked' and a chunk-size of '-2'. This can be done using a Python script that connects to a server running cpp-httplib and floods it with data, simulating the attack. The server must be configured to accept chunked requests without a payload size limit.

Remediation

Users can upgrade to cpp-httplib version 0.43.4 or later, where this vulnerability has been fixed.