CVE 8.7 HIGH

cpp-httplib vulnerable to a denial of service (DOS) using a zip bomb_CVE-2026-22776

January 12, 2026 invoker category_cve

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Description

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.1, a Denial of Service (DoS) vulnerability exists in cpp-httplib due to the unsafe handling of compressed HTTP request bodies (Content-Encoding: gzip, br, etc.). The library validates the payload_max_length against the compressed data size received from the network, but does not limit the size of the decompressed data stored in memory.

AI Analysis

Denial of Service (DoS) vulnerability due to unsafe handling of compressed HTTP request bodies

Basic Information

ID CVE-2026-22776

Source GitHub_M

Published Jan 12, 2026 at 18:18

Affected Product

Vendor yhirose

Product cpp-httplib

Version < 0.30.1

Affected Versions yhirose cpp-httplib < 0.30.1

CWE Classification

CWE-409

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor yhirose

Product cpp-httplib

Version < 0.30.1

References

{
    "lastseen": "",
    "description": "cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.1, a Denial of Service (DoS) vulnerability exists in cpp-httplib due to the unsafe handling of compressed HTTP request bodies (Content-Encoding: gzip, br, etc.). The library validates the payload_max_length against the compressed data size received from the network, but does not limit the size of the decompressed data stored in memory.",
    "published": "2026-01-12T18:18:01.527Z",
    "modified": "2026-01-12T18:18:01.527Z",
    "type": "cve",
    "title": "cpp-httplib vulnerable to a denial of service (DOS) using a zip bomb",
    "source": "GitHub_M",
    "references": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-h934-98h4-j43q\nhttps://github.com/yhirose/cpp-httplib/commit/2e2e47bab1ae6a853476eecbc4bf279dd1fef792",
    "id": "CVE-2026-22776",
    "bulletinFamily": "",
    "cwe": [
        "CWE-409"
    ],
    "cvelist": null,
    "sourceData": "yhirose cpp-httplib < 0.30.1",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "cpp-httplib",
    "version": "< 0.30.1",
    "vendor": "yhirose",
    "ai_description": "Denial of Service (DoS) vulnerability due to unsafe handling of compressed HTTP request bodies",
    "ai_severity": "High",
    "ai_vendor": "yhirose",
    "ai_product": "cpp-httplib",
    "ai_version": "< 0.30.1",
    "ai_score": 8.7
}

💭 Join the Security Discussion ❌ Cancel Reply