CVE-2026-31870
Published: 11 March 2026
Summary
CVE-2026-31870 is a high-severity Uncaught Exception (CWE-248) vulnerability in Yhirose Cpp-Httplib. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 30.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-31870 is a vulnerability in cpp-httplib, a C++11 single-file header-only cross-platform HTTP/HTTPS library, affecting versions prior to 0.37.1. It arises when a client uses the streaming API, such as httplib::stream::Get or httplib::stream::Post. The library invokes std::stoull() directly on the Content-Length header value received from the server without input validation or exception handling. Non-numeric strings trigger std::invalid_argument, while values exceeding ULLONG_MAX trigger std::out_of_range; uncaught exceptions lead to std::terminate(), terminating the process with SIGABRT.
Any server the client connects to—including those via HTTP redirects, third-party APIs, or man-in-the-middle positions—can exploit this by sending a single HTTP response with a malformed Content-Length header, crashing the client application deterministically and immediately. No authentication or end-user interaction is required, enabling remote denial-of-service. The CVSS v3.1 base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), mapped to CWE-248.
The issue is addressed in cpp-httplib version 0.37.1. Additional details are available in the GitHub security advisory at https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-39q5-hh6x-jpxx.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-11275
Vulnerability details
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.37.1, when a cpp-httplib client uses the streaming API (httplib::stream::Get, httplib::stream::Post, etc.), the library calls std::stoull() directly on the Content-Length header value received from the server with no…
more
input validation and no exception handling. std::stoull throws std::invalid_argument for non-numeric strings and std::out_of_range for values exceeding ULLONG_MAX. Since nothing catches these exceptions, the C++ runtime calls std::terminate(), which kills the process with SIGABRT. Any server the client connects to — including servers reached via HTTP redirects, third-party APIs, or man-in-the-middle positions can crash the client application with a single HTTP response. No authentication is required. No interaction from the end user is required. The crash is deterministic and immediate. This vulnerability is fixed in 0.37.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Uncaught exception in Content-Length parsing (std::stoull) allows remote server or MITM to deterministically crash client via single malformed HTTP response, directly matching Application or System Exploitation for Endpoint DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation requires timely patching of the cpp-httplib library to version 0.37.1 or later, which directly fixes the unhandled std::stoull() exception on malformed Content-Length headers.
Error handling implements logic to catch and gracefully manage exceptions like std::invalid_argument or std::out_of_range from std::stoull(), preventing process termination via std::terminate().
Information input validation ensures Content-Length header values are checked for numeric format and range before processing by the streaming API, mitigating malformed inputs from untrusted servers.