CVE-2025-53628
Published: 10 July 2025
Summary
CVE-2025-53628 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Yhirose Cpp-Httplib. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 34.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 ensures timely identification, reporting, and patching of software flaws like the unbounded memory allocation in cpp-httplib prior to version 0.20.1.
SC-5 implements nonexistence of service protections against denial-of-service attacks, including resource exhaustion from arbitrary memory allocation triggered by oversized HTTP lines.
SI-9 restricts information input quantities and types, such as imposing HTTP line length limits to mitigate unbounded allocations in vulnerable cpp-httplib versions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables remote exploitation of HTTP parsing in applications using the library, directly facilitating application-layer DoS via unbounded memory allocation (resource exhaustion).
NVD Description
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.20.1, cpp-httplib does not have a limit for a unique line, permitting an attacker to explore this to allocate memory arbitrarily. This vulnerability is fixed in 0.20.1. NOTE:…
more
This vulnerability is related to CVE-2025-53629.
Deeper analysisAI
CVE-2025-53628 affects cpp-httplib, a C++11 single-file header-only cross-platform HTTP/HTTPS library. In versions prior to 0.20.1, the library lacks a limit on the length of a unique line, such as in HTTP requests or responses, enabling attackers to trigger arbitrary memory allocation. This issue is classified under CWE-770 (Allocation of Resources Without Limits or Throttling), CWE-835, and CWE-444 (Inconsistent Interpretation of HTTP Requests), with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). The vulnerability is fixed in version 0.20.1 and is related to CVE-2025-53629.
Remote attackers can exploit this vulnerability over the network with low complexity and no required privileges, though it necessitates user interaction, such as tricking a user into processing a malicious HTTP request or response via an application using the library. Successful exploitation allows arbitrary memory allocation, potentially leading to high-impact denial of service through resource exhaustion, as well as unauthorized access, modification, or disruption of data and system integrity.
The cpp-httplib security advisories (GHSA-j6p8-779x-p5pw, GHSA-qjmq-h3cc-qv6w) and the fixing commit (7b752106ac42bd5b907793950d9125a0972c8e8e) recommend upgrading to version 0.20.1, which introduces the necessary line length limits to prevent unbounded allocations. No additional workarounds are specified in the provided references.
Details
- CWE(s)