{"schema_version":"1.7.2","id":"OESA-2026-1637","modified":"2026-03-20T14:23:07Z","published":"2026-03-20T14:23:07Z","upstream":["CVE-2026-31870","CVE-2026-32627"],"summary":"cpp-httplib security update","details":"A C++11 single-file header-only cross platform HTTP/HTTPS library. It's extremely easy to setup. Just include httplib.h file in your code!\r\n\r\nSecurity Fix(es):\n\ncpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.37.1, when a cpp-httplib client uses the streaming API (such as httplib::stream::Get, httplib::stream::Post, etc.), the library calls std::stoull() directly on the Content-Length header value received from the server with no input validation and no exception handling. std::stoull throws std::invalid_argument for non-numeric strings and std::out_of_range for values exceeding ULLONG_MAX. Since nothing catches these exceptions, the C++ runtime calls std::terminate(), which kills the process with SIGABRT. Any server the client connects to — including servers reached via HTTP redirects, third-party APIs, or man-in-the-middle positions — can crash the client application with a single HTTP response. No authentication is required. No interaction from the end user is required. The crash is deterministic and immediate. This vulnerability is fixed in version 0.37.1.(CVE-2026-31870)\n\ncpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.37.2, when a cpp-httplib client is configured with a proxy and set_follow_location(true), any HTTPS redirect it follows will have TLS certificate and hostname verification silently disabled on the new connection. The client will accept any certificate presented by the redirect target — expired, self-signed, or forged — without raising an error or notifying the application. A network attacker in a position to return a redirect response can fully intercept the follow-up HTTPS connection, including any credentials or session tokens in flight. This vulnerability is fixed in 0.37.2.(CVE-2026-32627)","affected":[{"package":{"ecosystem":"openEuler:24.03-LTS","name":"cpp-httplib","purl":"pkg:rpm/openEuler/cpp-httplib&distro=openEuler-24.03-LTS"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.38.0-1.oe2403"}]}],"ecosystem_specific":{"aarch64":["cpp-httplib-0.38.0-1.oe2403.aarch64.rpm","cpp-httplib-debuginfo-0.38.0-1.oe2403.aarch64.rpm","cpp-httplib-debugsource-0.38.0-1.oe2403.aarch64.rpm","cpp-httplib-devel-0.38.0-1.oe2403.aarch64.rpm"],"src":["cpp-httplib-0.38.0-1.oe2403.src.rpm"],"x86_64":["cpp-httplib-0.38.0-1.oe2403.x86_64.rpm","cpp-httplib-debuginfo-0.38.0-1.oe2403.x86_64.rpm","cpp-httplib-debugsource-0.38.0-1.oe2403.x86_64.rpm","cpp-httplib-devel-0.38.0-1.oe2403.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1637"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31870"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32627"}],"database_specific":{"severity":"High"}}