CVE-2026-22776
Decompression DoS in cpp-httplib via Compressed HTTP Bodies
Publication date: 2026-01-12
Last updated on: 2026-01-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| yhirose | cpp-httplib | to 0.30.1 (exc) |
| yhirose | cpp-httplib | to 0.29.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-409 | The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22776 is a Denial of Service (DoS) vulnerability in the cpp-httplib C++ HTTP/HTTPS library versions prior to 0.30.1. The issue arises because the library checks the size of compressed HTTP request bodies against a configured maximum payload size but does not limit the size of the decompressed data stored in memory. An attacker can exploit this by sending a small compressed payload (a "zip bomb") that decompresses into a very large amount of data, causing the server to consume excessive memory and crash due to out-of-memory conditions. [1]
How can this vulnerability impact me? :
This vulnerability can cause a high-severity Denial of Service (DoS) impact by allowing an attacker to crash the server remotely without any privileges or user interaction. By sending a specially crafted compressed HTTP request body that decompresses to a massive size, the server's memory can be exhausted, leading to a crash or shutdown. This disrupts availability of the service relying on cpp-httplib. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusually large decompressed HTTP request bodies that exceed expected payload sizes, especially those with Content-Encoding headers like gzip or br. One practical approach is to capture and inspect HTTP POST requests with compressed bodies and analyze their decompressed size. A suggested command is to use curl or similar tools to send test compressed payloads and observe server behavior. For example, using Python scripts (as demonstrated in the proof-of-concept) to send a small compressed payload that decompresses to a very large size can help detect if the server is vulnerable by causing it to crash or exhaust memory. Additionally, network packet capture tools like tcpdump or Wireshark can be used to capture HTTP traffic and analyze Content-Encoding headers and payload sizes. However, no specific commands are provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade cpp-httplib to version 0.30.1 or later, where the vulnerability is patched by enforcing a limit on the decompressed payload size. The patch adds checks to ensure that the decompressed data size does not exceed the configured payload_max_length before appending to the request body, preventing resource exhaustion from zip bomb attacks. If upgrading is not immediately possible, consider implementing application-level limits on decompressed request body sizes or filtering requests with suspicious Content-Encoding headers. Additionally, monitoring and blocking unusually large decompressed payloads can help mitigate the risk until the patch is applied. [1, 2]