Cyber Resilience

CVE-2025-53628

MediumPublic PoC

Published: 10 July 2025

Published
10 July 2025
Modified
06 August 2025
KEV Added
Patch
CVSS Score v4 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0014 34.3th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-53628 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Yhirose Cpp-Httplib. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 34.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-53628 affects cpp-httplib, a C++11 single-file header-only cross-platform HTTP/HTTPS library. In versions prior to 0.20.1, the library lacks a limit on the length of a unique line, such as in HTTP requests or responses, enabling attackers to trigger arbitrary memory allocation. This issue is classified under CWE-770 (Allocation of Resources Without Limits or Throttling), CWE-835, and CWE-444 (Inconsistent Interpretation of HTTP Requests), with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). The vulnerability is fixed in version 0.20.1 and is related to CVE-2025-53629.

Remote attackers can exploit this vulnerability over the network with low complexity and no required privileges, though it necessitates user interaction, such as tricking a user into processing a malicious HTTP request or response via an application using the library. Successful exploitation allows arbitrary memory allocation, potentially leading to high-impact denial of service through resource exhaustion, as well as unauthorized access, modification, or disruption of data and system integrity.

The cpp-httplib security advisories (GHSA-j6p8-779x-p5pw, GHSA-qjmq-h3cc-qv6w) and the fixing commit (7b752106ac42bd5b907793950d9125a0972c8e8e) recommend upgrading to version 0.20.1, which introduces the necessary line length limits to prevent unbounded allocations. No additional workarounds are specified in the provided references.

EU & UK References

Vulnerability details

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.20.1, cpp-httplib does not have a limit for a unique line, permitting an attacker to explore this to allocate memory arbitrarily. This vulnerability is fixed in 0.20.1. NOTE:…

more

This vulnerability is related to CVE-2025-53629.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Vulnerability enables remote exploitation of HTTP parsing in applications using the library, directly facilitating application-layer DoS via unbounded memory allocation (resource exhaustion).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-28435Same product: Yhirose Cpp-Httplib
CVE-2026-31870Same product: Yhirose Cpp-Httplib
CVE-2026-22776Same product: Yhirose Cpp-Httplib
CVE-2026-33745Same product: Yhirose Cpp-Httplib
CVE-2026-32627Same product: Yhirose Cpp-Httplib
CVE-2026-21428Same product: Yhirose Cpp-Httplib
CVE-2021-47791Shared CWE-770
CVE-2026-35457Shared CWE-770
CVE-2020-37134Shared CWE-770
CVE-2026-33256Shared CWE-770

Affected Assets

yhirose
cpp-httplib
≤ 0.20.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 ensures timely identification, reporting, and patching of software flaws like the unbounded memory allocation in cpp-httplib prior to version 0.20.1.

prevent

SC-5 implements nonexistence of service protections against denial-of-service attacks, including resource exhaustion from arbitrary memory allocation triggered by oversized HTTP lines.

prevent

SI-9 restricts information input quantities and types, such as imposing HTTP line length limits to mitigate unbounded allocations in vulnerable cpp-httplib versions.

References