Impact Analysis

This vulnerability can cause a denial of service (DoS) on servers using vulnerable versions of cpp-httplib (prior to 0.37.0).

An attacker can crash the server by sending a single malicious HTTP POST request with a crafted multipart/form-data body containing a large filename* parameter. This triggers a stack overflow due to deep recursion in the regex engine, causing the server process to crash (SIGSEGV).

The crash results in loss of all in-flight requests and requires an external restart of the server, potentially causing downtime and service disruption.

Useful 0 Not Useful 0

Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-29076 is a vulnerability in the cpp-httplib C++ library that occurs when parsing multipart form-data headers, specifically the Content-Disposition header's filename* parameter. The library used std::regex from libstdc++ to parse RFC 5987 encoded filenames, but this regex engine uses deep recursive backtracking that consumes one stack frame per input character."}, {'type': 'paragraph', 'content': 'An attacker can send a specially crafted HTTP POST request with a very long or maliciously crafted filename* parameter that triggers uncontrolled stack growth, causing a stack overflow and crashing the server process (SIGSEGV). This results in a denial of service.'}, {'type': 'paragraph', 'content': 'The issue was fixed in version 0.37.0 by replacing the regex-based parser with a custom, non-recursive parser that safely handles the Content-Disposition header and UTF-8 encoded filenames without risking stack overflow.'}] [1, 3]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for server crashes (SIGSEGV) or denial of service symptoms when processing HTTP POST requests with multipart/form-data containing a crafted filename* parameter in the Content-Disposition header.

A practical detection method is to test the vulnerable endpoint (e.g., /upload) by sending a specially crafted HTTP POST request with a very long or maliciously crafted filename* parameter to see if the server crashes or becomes unresponsive.

An example approach is to use a script similar to the provided proof of concept exploit (e.g., send_exploit.py) that sends a POST request with a large filename* value to trigger the stack overflow.

On the system, you can also check logs for segmentation faults or crashes related to the cpp-httplib server process.

No specific command-line commands are provided in the resources, but network traffic capture tools like tcpdump or Wireshark can be used to inspect multipart/form-data POST requests for suspiciously long filename* parameters.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the cpp-httplib library to version 0.37.0 or later, where the vulnerability has been fixed by replacing the vulnerable std::regex parsing with a safe manual parser.

If upgrading is not immediately possible, consider implementing strict input size limits on multipart Content-Disposition headers, especially the filename* parameter, to prevent excessively long inputs that trigger stack overflow.

Monitor and restrict incoming HTTP POST requests with multipart/form-data to detect and block suspiciously large or malformed filename* parameters.

Restart the server if it crashes due to this vulnerability, but note that this is only a temporary measure until the patch is applied.

Useful 0 Not Useful 0