CVE-2026-29076

NameCVE-2026-29076
Descriptioncpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.37.0, cpp-httplib uses std::regex (libstdc++) to parse RFC 5987 encoded filename* values in multipart Content-Disposition headers. The regex engine in libstdc++ implements backtracking via deep recursion, consuming one stack frame per input character. An attacker can send a single HTTP POST request with a crafted filename* parameter that causes uncontrolled stack growth, resulting in a stack overflow (SIGSEGV) that crashes the server process. This issue has been patched in version 0.37.0.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1130235

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
cpp-httplib (PTS)bookworm0.11.4+ds-1+deb12u1vulnerable
forky, sid, trixie0.18.7-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
cpp-httplibsource(unstable)(unfixed)1130235

Notes

https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-qq6v-r583-3h69
Fixed by: https://github.com/yhirose/cpp-httplib/commit/de296af3eb5b0d5c116470e033db900e4812c5e6 (v0.37.0)
Search for package or bug name: Reporting problems