CVE-2026-31870
Published: 11 March 2026
Summary
CVE-2026-31870 is a high-severity Uncaught Exception (CWE-248) vulnerability in Yhirose Cpp-Httplib. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 24.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Uncaught exception in Content-Length parsing (std::stoull) allows remote server or MITM to deterministically crash client via single malformed HTTP response, directly matching Application or System Exploitation for Endpoint DoS.
NVD Description
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.37.1, when a cpp-httplib client uses the streaming API (httplib::stream::Get, httplib::stream::Post, etc.), the library calls std::stoull() directly on the Content-Length header value received from the server with no…
more
input validation and no exception handling. std::stoull throws std::invalid_argument for non-numeric strings and std::out_of_range for values exceeding ULLONG_MAX. Since nothing catches these exceptions, the C++ runtime calls std::terminate(), which kills the process with SIGABRT. Any server the client connects to — including servers reached via HTTP redirects, third-party APIs, or man-in-the-middle positions can crash the client application with a single HTTP response. No authentication is required. No interaction from the end user is required. The crash is deterministic and immediate. This vulnerability is fixed in 0.37.1.
Deeper analysisAI
CVE-2026-31870 is a vulnerability in cpp-httplib, a C++11 single-file header-only cross-platform HTTP/HTTPS library, affecting versions prior to 0.37.1. It arises when a client uses the streaming API, such as httplib::stream::Get or httplib::stream::Post. The library invokes std::stoull() directly on the Content-Length header value received from the server without input validation or exception handling. Non-numeric strings trigger std::invalid_argument, while values exceeding ULLONG_MAX trigger std::out_of_range; uncaught exceptions lead to std::terminate(), terminating the process with SIGABRT.
Any server the client connects to—including those via HTTP redirects, third-party APIs, or man-in-the-middle positions—can exploit this by sending a single HTTP response with a malformed Content-Length header, crashing the client application deterministically and immediately. No authentication or end-user interaction is required, enabling remote denial-of-service. The CVSS v3.1 base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), mapped to CWE-248.
The issue is addressed in cpp-httplib version 0.37.1. Additional details are available in the GitHub security advisory at https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-39q5-hh6x-jpxx.
Details
- CWE(s)