CVE-2026-28435
Published: 04 March 2026
Summary
CVE-2026-28435 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Yhirose Cpp-Httplib. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 24.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-28435 affects cpp-httplib, a C++11 single-file header-only cross-platform HTTP/HTTPS library, in versions prior to 0.35.0. The vulnerability arises because the library does not enforce the Server::set_payload_max_length() limit on the decompressed request body when using HandlerWithContentReader (streaming ContentReader) with Content-Encoding: gzip or other supported encodings. This allows a small compressed payload to expand beyond the configured payload limit and be processed by the application, resulting in a payload size limit bypass.
The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating it is exploitable over the network with low complexity, no privileges or user interaction required. An unauthenticated attacker can send a malicious HTTP request with a small gzip-compressed body that decompresses to a much larger size, causing the application to process excessive data and leading to denial of service through CPU or memory exhaustion.
The issue is fixed in cpp-httplib version 0.35.0. The GitHub security advisory (GHSA-xvfx-w463-6fpp) and the fixing commit (c99d7472b5cf4869d3897b9afc9792063a3d15a8) detail the patch, which enforces the payload length limit on decompressed content. Practitioners should upgrade to 0.35.0 or later to mitigate the vulnerability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9496
Vulnerability details
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.35.0, cpp-httplib (httplib.h) does not enforce Server::set_payload_max_length() on the decompressed request body when using HandlerWithContentReader (streaming ContentReader) with Content-Encoding: gzip (or other supported encodings). A small compressed payload…
more
can expand beyond the configured payload limit and be processed by the application, enabling a payload size limit bypass and potential denial of service (CPU/memory exhaustion). This vulnerability is fixed in 0.35.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a decompression limit bypass in a public HTTP library that enables an unauthenticated network attacker to trigger CPU/memory exhaustion (DoS) via a crafted small gzip payload; this directly matches application/system exploitation resulting in endpoint denial of service.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely flaw remediation requires patching cpp-httplib to version 0.35.0 or later, which enforces payload limits on decompressed content and directly prevents exploitation.
Denial-of-service protection at system entry points blocks oversized decompressed payloads that bypass application limits, mitigating CPU/memory exhaustion attacks.
Information input validation requires checking HTTP request bodies for excessive size post-decompression, rejecting malicious gzip payloads before full processing.