Debian Package Tracker
Register | Log in
Subscribe

cpp-httplib

Choose email to subscribe with

general
  • source: cpp-httplib (main)
  • version: 0.18.7-1
  • maintainer: Andrea Pappacoda (DMD) (LowNMU)
  • arch: any
  • std-ver: 4.7.2
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • stable: 0.11.4+ds-1+deb12u1
  • testing: 0.18.7-1
  • unstable: 0.18.7-1
versioned links
  • 0.11.4+ds-1+deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 0.18.7-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • libcpp-httplib-dev
  • libcpp-httplib0.18
action needed
A new upstream version is available: 0.20.1 high
A new upstream version 0.20.1 is available, you should consider packaging it.
Created: 2024-09-03 Last update: 2025-05-29 18:30
1 security issue in trixie high

There is 1 open security issue in trixie.

1 important issue:
  • CVE-2025-46728: cpp-httplib is a C++ header-only HTTP/HTTPS server and client library. Prior to version 0.20.1, the library fails to enforce configured size limits on incoming request bodies when `Transfer-Encoding: chunked` is used or when no `Content-Length` header is provided. A remote attacker can send a chunked request without the terminating zero-length chunk, causing uncontrolled memory allocation on the server. This leads to potential exhaustion of system memory and results in a server crash or unresponsiveness. Version 0.20.1 fixes the issue by enforcing limits during parsing. If the limit is exceeded at any point during reading, the connection is terminated immediately. A short-term workaround through a Reverse Proxy is available. If updating the library immediately is not feasible, deploy a reverse proxy (e.g., Nginx, HAProxy) in front of the `cpp-httplib` application. Configure the proxy to enforce maximum request body size limits, thereby stopping excessively large requests before they reach the vulnerable library code.
Created: 2025-05-07 Last update: 2025-05-08 20:33
1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:
  • CVE-2025-46728: cpp-httplib is a C++ header-only HTTP/HTTPS server and client library. Prior to version 0.20.1, the library fails to enforce configured size limits on incoming request bodies when `Transfer-Encoding: chunked` is used or when no `Content-Length` header is provided. A remote attacker can send a chunked request without the terminating zero-length chunk, causing uncontrolled memory allocation on the server. This leads to potential exhaustion of system memory and results in a server crash or unresponsiveness. Version 0.20.1 fixes the issue by enforcing limits during parsing. If the limit is exceeded at any point during reading, the connection is terminated immediately. A short-term workaround through a Reverse Proxy is available. If updating the library immediately is not feasible, deploy a reverse proxy (e.g., Nginx, HAProxy) in front of the `cpp-httplib` application. Configure the proxy to enforce maximum request body size limits, thereby stopping excessively large requests before they reach the vulnerable library code.
Created: 2025-05-07 Last update: 2025-05-08 20:33
2 security issues in bookworm high

There are 2 open security issues in bookworm.

1 important issue:
  • CVE-2025-46728: cpp-httplib is a C++ header-only HTTP/HTTPS server and client library. Prior to version 0.20.1, the library fails to enforce configured size limits on incoming request bodies when `Transfer-Encoding: chunked` is used or when no `Content-Length` header is provided. A remote attacker can send a chunked request without the terminating zero-length chunk, causing uncontrolled memory allocation on the server. This leads to potential exhaustion of system memory and results in a server crash or unresponsiveness. Version 0.20.1 fixes the issue by enforcing limits during parsing. If the limit is exceeded at any point during reading, the connection is terminated immediately. A short-term workaround through a Reverse Proxy is available. If updating the library immediately is not feasible, deploy a reverse proxy (e.g., Nginx, HAProxy) in front of the `cpp-httplib` application. Configure the proxy to enforce maximum request body size limits, thereby stopping excessively large requests before they reach the vulnerable library code.
1 issue left for the package maintainer to handle:
  • CVE-2025-0825: (needs triaging) cpp-httplib version v0.17.3 through v0.18.3 fails to filter CRLF characters ("\r\n") when those are prefixed with a null byte. This enables attackers to exploit CRLF injection that could further lead to HTTP Response Splitting, XSS, and more.

You can find information about how to handle this issue in the security team's documentation.

Created: 2025-02-07 Last update: 2025-05-08 20:33
1 bug tagged patch in the BTS normal
The BTS contains patches fixing 1 bug, consider including or untagging them.
Created: 2025-01-06 Last update: 2025-05-29 22:00
Build log checks report 2 warnings low
Build log checks report 2 warnings
Created: 2021-11-27 Last update: 2022-02-24 19:31
news
[rss feed]
  • [2025-03-14] cpp-httplib 0.18.7-1 MIGRATED to testing (Debian testing watch)
  • [2025-03-11] Accepted cpp-httplib 0.18.7-1 (source) into unstable (Andrea Pappacoda)
  • [2024-10-06] Accepted cpp-httplib 0.18.0+ds-1 (source arm64) into experimental (Debian FTP Masters) (signed by: Christian Hofstaedtler)
  • [2024-09-20] cpp-httplib 0.16.3+ds-2 MIGRATED to testing (Debian testing watch)
  • [2024-09-17] Accepted cpp-httplib 0.16.3+ds-2 (source) into unstable (Andrea Pappacoda)
  • [2024-08-21] cpp-httplib 0.16.3+ds-1 MIGRATED to testing (Debian testing watch)
  • [2024-08-18] Accepted cpp-httplib 0.16.3+ds-1 (source) into unstable (Andrea Pappacoda)
  • [2024-08-03] Accepted cpp-httplib 0.16.0+ds-1 (source amd64) into experimental (Debian FTP Masters) (signed by: bage@debian.org)
  • [2024-07-10] cpp-httplib 0.15.3+ds-3 MIGRATED to testing (Debian testing watch)
  • [2024-07-07] Accepted cpp-httplib 0.15.3+ds-3 (source) into unstable (Andrea Pappacoda)
  • [2024-06-26] cpp-httplib 0.15.3+ds-2 MIGRATED to testing (Debian testing watch)
  • [2024-06-23] Accepted cpp-httplib 0.15.3+ds-2 (source) into unstable (Andrea Pappacoda)
  • [2024-06-23] Accepted cpp-httplib 0.15.3+ds-1 (source amd64) into experimental (Debian FTP Masters) (signed by: bage@debian.org)
  • [2024-05-03] cpp-httplib 0.14.3+ds-1.1 MIGRATED to testing (Debian testing watch)
  • [2024-02-28] Accepted cpp-httplib 0.14.3+ds-1.1 (source) into unstable (Steve Langasek)
  • [2024-01-30] Accepted cpp-httplib 0.14.3+ds-1.1~exp1 (source amd64) into experimental (Michael Hudson-Doyle)
  • [2023-12-27] cpp-httplib 0.14.3+ds-1 MIGRATED to testing (Debian testing watch)
  • [2023-12-24] Accepted cpp-httplib 0.14.3+ds-1 (source) into unstable (Andrea Pappacoda)
  • [2023-12-14] cpp-httplib 0.14.2+ds-1 MIGRATED to testing (Debian testing watch)
  • [2023-12-11] Accepted cpp-httplib 0.14.2+ds-1 (source) into unstable (Andrea Pappacoda)
  • [2023-12-04] cpp-httplib 0.14.1+ds-2 MIGRATED to testing (Debian testing watch)
  • [2023-11-30] Accepted cpp-httplib 0.14.1+ds-2 (source) into unstable (Andrea Pappacoda)
  • [2023-10-23] cpp-httplib 0.14.1+ds-1 MIGRATED to testing (Debian testing watch)
  • [2023-10-20] Accepted cpp-httplib 0.14.1+ds-1 (source) into unstable (Andrea Pappacoda)
  • [2023-09-17] Accepted cpp-httplib 0.14.0+ds-1 (source amd64) into experimental (Debian FTP Masters) (signed by: bage@debian.org)
  • [2023-09-03] cpp-httplib 0.13.1+ds-1 MIGRATED to testing (Debian testing watch)
  • [2023-07-16] Accepted cpp-httplib 0.11.4+ds-1+deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Andrea Pappacoda)
  • [2023-07-15] Accepted cpp-httplib 0.13.1+ds-1 (source amd64) into unstable (Debian FTP Masters) (signed by: bage@debian.org)
  • [2023-07-15] cpp-httplib 0.11.4+ds-3 MIGRATED to testing (Debian testing watch)
  • [2023-07-13] Accepted cpp-httplib 0.11.4+ds-3 (source) into unstable (Andrea Pappacoda)
  • 1
  • 2
bugs [bug history graph]
  • all: 4
  • RC: 0
  • I&N: 3
  • M&W: 1
  • F&P: 0
  • patch: 1
links
  • homepage
  • lintian
  • buildd: logs, checks, reproducibility, cross
  • popcon
  • browse source code
  • edit tags
  • other distros
  • security tracker
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 0.18.7-1

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing