CVE-2026-22776
Unknown Unknown - Not Provided
Decompression DoS in cpp-httplib via Compressed HTTP Bodies

Publication date: 2026-01-12

Last updated on: 2026-01-12

Assigner: GitHub, Inc.

Description
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.1, a Denial of Service (DoS) vulnerability exists in cpp-httplib due to the unsafe handling of compressed HTTP request bodies (Content-Encoding: gzip, br, etc.). The library validates the payload_max_length against the compressed data size received from the network, but does not limit the size of the decompressed data stored in memory.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-12
Last Modified
2026-01-12
Generated
2026-06-16
AI Q&A
2026-01-13
EPSS Evaluated
2026-06-14
NVD
CVE-2026-22776
EUVD
EUVD-2026-2006
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
yhirose cpp-httplib to 0.30.1 (exc)
yhirose cpp-httplib to 0.29.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-409 The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The immediate mitigation step is to upgrade cpp-httplib to version 0.30.1 or later, where the vulnerability is patched by enforcing a limit on the decompressed payload size. The patch adds checks to ensure that the decompressed data size does not exceed the configured payload_max_length before appending to the request body, preventing resource exhaustion from zip bomb attacks. If upgrading is not immediately possible, consider implementing application-level limits on decompressed request body sizes or filtering requests with suspicious Content-Encoding headers. Additionally, monitoring and blocking unusually large decompressed payloads can help mitigate the risk until the patch is applied. [1, 2]

Executive Summary

CVE-2026-22776 is a Denial of Service (DoS) vulnerability in the cpp-httplib C++ HTTP/HTTPS library versions prior to 0.30.1. The issue arises because the library checks the size of compressed HTTP request bodies against a configured maximum payload size but does not limit the size of the decompressed data stored in memory. An attacker can exploit this by sending a small compressed payload (a "zip bomb") that decompresses into a very large amount of data, causing the server to consume excessive memory and crash due to out-of-memory conditions. [1]

Impact Analysis

This vulnerability can cause a high-severity Denial of Service (DoS) impact by allowing an attacker to crash the server remotely without any privileges or user interaction. By sending a specially crafted compressed HTTP request body that decompresses to a massive size, the server's memory can be exhausted, leading to a crash or shutdown. This disrupts availability of the service relying on cpp-httplib. [1]

Detection Guidance

This vulnerability can be detected by monitoring for unusually large decompressed HTTP request bodies that exceed expected payload sizes, especially those with Content-Encoding headers like gzip or br. One practical approach is to capture and inspect HTTP POST requests with compressed bodies and analyze their decompressed size. A suggested command is to use curl or similar tools to send test compressed payloads and observe server behavior. For example, using Python scripts (as demonstrated in the proof-of-concept) to send a small compressed payload that decompresses to a very large size can help detect if the server is vulnerable by causing it to crash or exhaust memory. Additionally, network packet capture tools like tcpdump or Wireshark can be used to capture HTTP traffic and analyze Content-Encoding headers and payload sizes. However, no specific commands are provided in the resources. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22776. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart