cpp-httplib, Uncontrolled Recursion, CVE-2026-29076 (Medium)

Listen to this Post

CVE-2026-29076 is a denial of service vulnerability in the cpp-httplib library, a C++11 header-only HTTP/HTTPS library. The vulnerability resides in how the library parses `filename` parameters within `Content-Disposition` headers for multipart data, specifically those encoded according to RFC 5987. Prior to version 0.37.0, the library utilized `std::regex` (from libstdc++) to parse these values. The regex engine in libstdc++ handles certain complex patterns, such as the one used for this parsing, through a backtracking algorithm that relies on deep recursion. This recursion consumes one new stack frame for each character in the input string. An attacker can exploit this by sending a single, specially crafted HTTP POST request containing a very long and malicious `filename` parameter. Processing this request forces the regex engine into deep, uncontrolled recursion, which exhausts the program’s stack memory. This results in a stack overflow, causing the server process to crash with a SIGSEGV signal and leading to a complete denial of service for the application.

dailycve form:

Platform: cpp-httplib library
Version: before 0.37.0
Vulnerability: regex stack overflow
Severity: Medium
date: March 7, 2026

Prediction: soon likely immediate

What Undercode Say:

Analytics:

  • Vulnerability Detection: Check the version of cpp-httplib used by your application.
    Example: If the library is in a project's conanfile.py or vcpkg.json
    Check for the version string
    grep -r "cpp-httplib" . | grep "version"
    
  • Version Verification: For systems where the library is installed as a package (e.g., Fedora), use the package manager.
    Check installed version on Fedora
    rpm -q cpp-httplib
    On Debian/Ubuntu (if packaged)
    dpkg -l | grep cpp-httplib
    

Exploit:

  • An attacker would send an HTTP POST request with a malicious multipart `Content-Disposition` header.
  • The critical part is an overly long and complex `filename` parameter designed to maximize backtracking in the regex engine.
    POST /upload HTTP/1.1
    Host: vulnerable-server.com
    Content-Type: multipart/form-data; boundary=123
    123
    Content-Disposition: form-data; name="file"; filename="utf-8''A_______________________...[thousands of characters causing deep recursion]...A"
    Content-Type: text/plain
    [bash]
    123--
    

Protection from this CVE:

  • Primary Solution: Upgrade to cpp-httplib version 0.37.0 or later, where the issue has been patched by changing the parsing logic to avoid the vulnerable regex.
    If using Git submodule or direct checkout
    cd /path/to/cpp-httplib
    git pull origin main
    git checkout v0.37.0
    
  • Mitigation: If an immediate upgrade is not possible, consider disabling the processing of multipart file uploads or implementing a Web Application Firewall (WAF) rule to block requests with excessively long or unusual `filename` parameters, though this may not be a complete or reliable fix.

Impact:

  • Availability: High. A remote, unauthenticated attacker can cause the server process to crash reliably with a single request.
  • Service Disruption: Leads to a complete Denial of Service (DoS), rendering the application or service unavailable to legitimate users until the process is restarted.
  • Scope: Affects any application or service built with a vulnerable version of the `cpp-httplib` library that accepts and parses multipart form data.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top