Listen to this Post
CVE-2026-29076 is a denial of service vulnerability in the cpp-httplib library, a C++11 header-only HTTP/HTTPS library. The vulnerability resides in how the library parses `filename` parameters within `Content-Disposition` headers for multipart data, specifically those encoded according to RFC 5987. Prior to version 0.37.0, the library utilized `std::regex` (from libstdc++) to parse these values. The regex engine in libstdc++ handles certain complex patterns, such as the one used for this parsing, through a backtracking algorithm that relies on deep recursion. This recursion consumes one new stack frame for each character in the input string. An attacker can exploit this by sending a single, specially crafted HTTP POST request containing a very long and malicious `filename` parameter. Processing this request forces the regex engine into deep, uncontrolled recursion, which exhausts the program’s stack memory. This results in a stack overflow, causing the server process to crash with a SIGSEGV signal and leading to a complete denial of service for the application.
dailycve form:
Platform: cpp-httplib library
Version: before 0.37.0
Vulnerability: regex stack overflow
Severity: Medium
date: March 7, 2026
Prediction: soon likely immediate
What Undercode Say:
Analytics:
- Vulnerability Detection: Check the version of cpp-httplib used by your application.
Example: If the library is in a project's conanfile.py or vcpkg.json Check for the version string grep -r "cpp-httplib" . | grep "version"
- Version Verification: For systems where the library is installed as a package (e.g., Fedora), use the package manager.
Check installed version on Fedora rpm -q cpp-httplib On Debian/Ubuntu (if packaged) dpkg -l | grep cpp-httplib
Exploit:
- An attacker would send an HTTP POST request with a malicious multipart `Content-Disposition` header.
- The critical part is an overly long and complex `filename` parameter designed to maximize backtracking in the regex engine.
POST /upload HTTP/1.1 Host: vulnerable-server.com Content-Type: multipart/form-data; boundary=123 123 Content-Disposition: form-data; name="file"; filename="utf-8''A_______________________...[thousands of characters causing deep recursion]...A" Content-Type: text/plain [bash] 123--
Protection from this CVE:
- Primary Solution: Upgrade to cpp-httplib version 0.37.0 or later, where the issue has been patched by changing the parsing logic to avoid the vulnerable regex.
If using Git submodule or direct checkout cd /path/to/cpp-httplib git pull origin main git checkout v0.37.0
- Mitigation: If an immediate upgrade is not possible, consider disabling the processing of multipart file uploads or implementing a Web Application Firewall (WAF) rule to block requests with excessively long or unusual `filename` parameters, though this may not be a complete or reliable fix.
Impact:
- Availability: High. A remote, unauthenticated attacker can cause the server process to crash reliably with a single request.
- Service Disruption: Leads to a complete Denial of Service (DoS), rendering the application or service unavailable to legitimate users until the process is restarted.
- Scope: Affects any application or service built with a vulnerable version of the `cpp-httplib` library that accepts and parses multipart form data.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

