cvedb.io
CVE-2026-31870
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2026-03-11T18:16:26.487 · Last modified 2026-06-17T10:34:40.140

Summary

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.37.1, when a cpp-httplib client uses the streaming API (httplib::stream::Get, httplib::stream::Post, etc.), the library calls std::stoull() directly on the Content-Length header value received from the server with no input validation and no exception handling. std::stoull throws std::invalid_argument for non-numeric strings and std::out_of_range for values exceeding ULLONG_MAX. Since nothing catches these exceptions, the C++ runtime calls std::terminate(), which kills the process with SIGABRT. Any server the client connects to — including servers reached via HTTP redirects, third-party APIs, or man-in-the-middle positions can crash the client application with a single HTTP response. No authenticati

Affected products

yhirose — cpp-httplib

Does this affect you?

Add your gear to cvedb and we'll alert you only when yhirose ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.