Cyber Resilience

CVE-2026-28435

HighPublic PoCDDoS

Published: 04 March 2026

Published
04 March 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0008 24.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28435 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Yhirose Cpp-Httplib. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 24.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-28435 affects cpp-httplib, a C++11 single-file header-only cross-platform HTTP/HTTPS library, in versions prior to 0.35.0. The vulnerability arises because the library does not enforce the Server::set_payload_max_length() limit on the decompressed request body when using HandlerWithContentReader (streaming ContentReader) with Content-Encoding: gzip or other supported encodings. This allows a small compressed payload to expand beyond the configured payload limit and be processed by the application, resulting in a payload size limit bypass.

The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating it is exploitable over the network with low complexity, no privileges or user interaction required. An unauthenticated attacker can send a malicious HTTP request with a small gzip-compressed body that decompresses to a much larger size, causing the application to process excessive data and leading to denial of service through CPU or memory exhaustion.

The issue is fixed in cpp-httplib version 0.35.0. The GitHub security advisory (GHSA-xvfx-w463-6fpp) and the fixing commit (c99d7472b5cf4869d3897b9afc9792063a3d15a8) detail the patch, which enforces the payload length limit on decompressed content. Practitioners should upgrade to 0.35.0 or later to mitigate the vulnerability.

EU & UK References

Vulnerability details

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.35.0, cpp-httplib (httplib.h) does not enforce Server::set_payload_max_length() on the decompressed request body when using HandlerWithContentReader (streaming ContentReader) with Content-Encoding: gzip (or other supported encodings). A small compressed payload…

more

can expand beyond the configured payload limit and be processed by the application, enabling a payload size limit bypass and potential denial of service (CPU/memory exhaustion). This vulnerability is fixed in 0.35.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The vulnerability is a decompression limit bypass in a public HTTP library that enables an unauthenticated network attacker to trigger CPU/memory exhaustion (DoS) via a crafted small gzip payload; this directly matches application/system exploitation resulting in endpoint denial of service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-22776Same product: Yhirose Cpp-Httplib
CVE-2025-53628Same product: Yhirose Cpp-Httplib
CVE-2026-31870Same product: Yhirose Cpp-Httplib
CVE-2026-32627Same product: Yhirose Cpp-Httplib
CVE-2026-33745Same product: Yhirose Cpp-Httplib
CVE-2026-21428Same product: Yhirose Cpp-Httplib
CVE-2024-56921Shared CWE-400
CVE-2026-33538Shared CWE-400
CVE-2026-0517Shared CWE-400
CVE-2026-6051Shared CWE-400

Affected Assets

yhirose
cpp-httplib
≤ 0.35.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation requires patching cpp-httplib to version 0.35.0 or later, which enforces payload limits on decompressed content and directly prevents exploitation.

prevent

Denial-of-service protection at system entry points blocks oversized decompressed payloads that bypass application limits, mitigating CPU/memory exhaustion attacks.

prevent

Information input validation requires checking HTTP request bodies for excessive size post-decompression, rejecting malicious gzip payloads before full processing.

References