CVE-2025-52887 HIGH

CVE-2025-52887: cpp-httplib has unlimited number of http header fields, which causes memory leak

Vendor Yhirose
Product cpp-httplib
Weakness CWE-400
Published June 26, 2025
Last update June 26, 2025

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. In version 0.21.0, when many http headers fields are passed in, the library does not limit the number of headers, and the memory associated with the headers will not be released when the connection is disconnected. This leads to potential exhaustion of system memory and results in a server crash or unresponsiveness. Version 0.22.0 contains a patch for the issue.

Key dates

02Disclosure timeline

June 26, 2025 CVE published
June 26, 2025 Record updated