Executive Summary

CVE-2026-28435 is a vulnerability in the cpp-httplib C++ library (versions up to 0.34.0) that allows an attacker to bypass the configured payload size limit when decompressing HTTP request bodies using streaming handlers with gzip or other supported content encodings.

The root cause is that the library enforces the payload size limit on the compressed data read from the network, but does not enforce this limit on the decompressed data output delivered to the application when using streaming ContentReader handlers.

This means a small compressed payload can decompress into a much larger payload that exceeds the configured limit, allowing the application to process oversized data.

This flaw enables a payload size limit bypass and can lead to denial of service (DoS) through CPU and memory exhaustion.

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': "An attacker can send a small compressed HTTP request body that decompresses into a very large payload, bypassing the server's configured payload size limits."}, {'type': 'paragraph', 'content': 'When the server uses streaming handlers with decompression enabled, it will process this oversized decompressed data, potentially causing excessive CPU and memory consumption.'}, {'type': 'paragraph', 'content': 'This resource exhaustion can lead to denial of service (DoS), especially in resource-constrained or high-concurrency environments, making the server unavailable or unstable.'}] [1]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unusually small compressed HTTP request payloads that decompress to very large sizes, especially on endpoints using streaming ContentReader handlers with Content-Encoding: gzip or other supported encodings.

Detection involves checking server logs for requests where the decompressed payload size exceeds the configured payload limit despite the compressed payload being small.

Since the vulnerability involves bypassing payload size limits during decompression, you can detect it by capturing HTTP requests with compressed bodies and decompressing them offline to verify if the decompressed size exceeds expected limits.

Suggested commands include using network packet capture tools like tcpdump or Wireshark to capture HTTP traffic, then extracting and decompressing payloads to check for size discrepancies.

• Use tcpdump to capture HTTP traffic on the server port: tcpdump -i <interface> -s 0 -w capture.pcap port 80 or 443
• Use Wireshark or tshark to filter HTTP requests with Content-Encoding: gzip.
• Extract compressed payloads and decompress them using gzip or zlib tools to compare compressed vs decompressed sizes.
• Check server application logs for any anomalies or errors related to payload size or resource exhaustion.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include disabling request-body decompression on endpoints that use streaming ContentReader handlers.

Reject or ignore HTTP requests containing Content-Encoding headers on those endpoints to prevent decompression bypass.

Implement decompressed-size limits within the application callback by counting decompressed bytes and aborting processing when limits are exceeded.

Upgrade the cpp-httplib library to version 0.35.0 or later, where the vulnerability is fixed by enforcing payload size limits on decompressed data and returning HTTP 413 Payload Too Large responses when limits are exceeded.

Avoid relying solely on Server::set_payload_max_length() as a strict security boundary when using streaming decompression.

Useful 0 Not Useful 0