{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-52887", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-06-20T17:42:25.709Z", "datePublished": "2025-06-26T14:31:52.092Z", "dateUpdated": "2025-06-26T14:46:31.045Z"}, "containers": {"cna": {"title": "cpp-httplib has unlimited number of http header fields, which causes memory leak", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-xjhg-gf59-p92h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-xjhg-gf59-p92h"}, {"name": "https://github.com/yhirose/cpp-httplib/commit/28dcf379e82a2cdb544d812696a7fd46067eb7f9", "tags": ["x_refsource_MISC"], "url": "https://github.com/yhirose/cpp-httplib/commit/28dcf379e82a2cdb544d812696a7fd46067eb7f9"}], "affected": [{"vendor": "yhirose", "product": "cpp-httplib", "versions": [{"version": "= 0.21.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-06-26T14:31:52.092Z"}, "descriptions": [{"lang": "en", "value": "cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. In version 0.21.0, when many http headers fields are passed in, the library does not limit the number of headers, and the memory associated with the headers will not be released when the connection is disconnected. This leads to potential exhaustion of system memory and results in a server crash or unresponsiveness. Version 0.22.0 contains a patch for the issue."}], "source": {"advisory": "GHSA-xjhg-gf59-p92h", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-26T14:46:17.991132Z", "id": "CVE-2025-52887", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-26T14:46:31.045Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-52887", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-26T14:46:17.991132Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-26T14:46:20.189Z"}}], "cna": {"title": "cpp-httplib has unlimited number of http header fields, which causes memory leak", "source": {"advisory": "GHSA-xjhg-gf59-p92h", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "yhirose", "product": "cpp-httplib", "versions": [{"status": "affected", "version": "= 0.21.0"}]}], "references": [{"url": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-xjhg-gf59-p92h", "name": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-xjhg-gf59-p92h", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/yhirose/cpp-httplib/commit/28dcf379e82a2cdb544d812696a7fd46067eb7f9", "name": "https://github.com/yhirose/cpp-httplib/commit/28dcf379e82a2cdb544d812696a7fd46067eb7f9", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. In version 0.21.0, when many http headers fields are passed in, the library does not limit the number of headers, and the memory associated with the headers will not be released when the connection is disconnected. This leads to potential exhaustion of system memory and results in a server crash or unresponsiveness. Version 0.22.0 contains a patch for the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-06-26T14:31:52.092Z"}}}, "cveMetadata": {"cveId": "CVE-2025-52887", "state": "PUBLISHED", "dateUpdated": "2025-06-26T14:46:31.045Z", "dateReserved": "2025-06-20T17:42:25.709Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-06-26T14:31:52.092Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. In version 0.21.0, when many http headers fields are passed in, the library does not limit the number of headers, and the memory associated with the headers will not be released when the connection is disconnected. This leads to potential exhaustion of system memory and results in a server crash or unresponsiveness. Version 0.22.0 contains a patch for the issue."}], "id": "CVE-2025-52887", "lastModified": "2025-06-26T18:57:43.670", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-06-26T15:15:23.350", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/yhirose/cpp-httplib/commit/28dcf379e82a2cdb544d812696a7fd46067eb7f9"}, {"source": "security-advisories@github.com", "url": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-xjhg-gf59-p92h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "cpp-httplib: cpp-httplib memory leak", "id": "2374970", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2374970"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-400", "details": ["cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. In version 0.21.0, when many http headers fields are passed in, the library does not limit the number of headers, and the memory associated with the headers will not be released when the connection is disconnected. This leads to potential exhaustion of system memory and results in a server crash or unresponsiveness. Version 0.22.0 contains a patch for the issue.", "A denial-of-service vulnerability, stemming from memory exhaustion, has been identified in the cpp-httplib C++ HTTP/HTTPS library. This flaw is a result of the library's insufficient limits on the processing of HTTP headers. A remote attacker could exploit this by sending specially crafted HTTP requests with overly large or numerous headers, causing excessive memory consumption and ultimately leading to a program crash. This impacts the availability and stability of applications using cpp-httplib."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-52887", "public_date": "2025-06-26T14:31:52Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-52887"], "statement": "On Red Hat systems, any memory exhaustion will lead to the host operating system killing the offending program. The host system will continue operation.", "threat_severity": "Moderate"}