Cyber Resilience

CVE-2026-31870

HighPublic PoC

Published: 11 March 2026

Published
11 March 2026
Modified
18 March 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0012 30.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31870 is a high-severity Uncaught Exception (CWE-248) vulnerability in Yhirose Cpp-Httplib. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 30.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-31870 is a vulnerability in cpp-httplib, a C++11 single-file header-only cross-platform HTTP/HTTPS library, affecting versions prior to 0.37.1. It arises when a client uses the streaming API, such as httplib::stream::Get or httplib::stream::Post. The library invokes std::stoull() directly on the Content-Length header value received from the server without input validation or exception handling. Non-numeric strings trigger std::invalid_argument, while values exceeding ULLONG_MAX trigger std::out_of_range; uncaught exceptions lead to std::terminate(), terminating the process with SIGABRT.

Any server the client connects to—including those via HTTP redirects, third-party APIs, or man-in-the-middle positions—can exploit this by sending a single HTTP response with a malformed Content-Length header, crashing the client application deterministically and immediately. No authentication or end-user interaction is required, enabling remote denial-of-service. The CVSS v3.1 base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), mapped to CWE-248.

The issue is addressed in cpp-httplib version 0.37.1. Additional details are available in the GitHub security advisory at https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-39q5-hh6x-jpxx.

EU & UK References

Vulnerability details

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.37.1, when a cpp-httplib client uses the streaming API (httplib::stream::Get, httplib::stream::Post, etc.), the library calls std::stoull() directly on the Content-Length header value received from the server with no…

more

input validation and no exception handling. std::stoull throws std::invalid_argument for non-numeric strings and std::out_of_range for values exceeding ULLONG_MAX. Since nothing catches these exceptions, the C++ runtime calls std::terminate(), which kills the process with SIGABRT. Any server the client connects to — including servers reached via HTTP redirects, third-party APIs, or man-in-the-middle positions can crash the client application with a single HTTP response. No authentication is required. No interaction from the end user is required. The crash is deterministic and immediate. This vulnerability is fixed in 0.37.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Uncaught exception in Content-Length parsing (std::stoull) allows remote server or MITM to deterministically crash client via single malformed HTTP response, directly matching Application or System Exploitation for Endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-28435Same product: Yhirose Cpp-Httplib
CVE-2026-22776Same product: Yhirose Cpp-Httplib
CVE-2025-53628Same product: Yhirose Cpp-Httplib
CVE-2026-32627Same product: Yhirose Cpp-Httplib
CVE-2026-33745Same product: Yhirose Cpp-Httplib
CVE-2026-21428Same product: Yhirose Cpp-Httplib
CVE-2025-20172Shared CWE-248
CVE-2025-59466Shared CWE-248
CVE-2026-1507Shared CWE-248
CVE-2026-44001Shared CWE-248

Affected Assets

yhirose
cpp-httplib
≤ 0.37.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation requires timely patching of the cpp-httplib library to version 0.37.1 or later, which directly fixes the unhandled std::stoull() exception on malformed Content-Length headers.

prevent

Error handling implements logic to catch and gracefully manage exceptions like std::invalid_argument or std::out_of_range from std::stoull(), preventing process termination via std::terminate().

prevent

Information input validation ensures Content-Length header values are checked for numeric format and range before processing by the streaming API, mitigating malformed inputs from untrusted servers.

References