SUSE Package Hub - openSUSE-2025-446

Update Info

openSUSE-2025-446

Security update for cpp-httplib

Type: security
Severity: important
Issued: 2025-11-28
Description:
This update for cpp-httplib fixes the following issues:

- CVE-2025-53629: header can allocate memory arbitrarily in the server, potentially leading to its exhaustion (CVE-2025-53628, boo#1246471)
- CVE-2025-53628: HTTP header smuggling due to insecure trailers merge (CVE-2025-53628, boo#1246468)
- CVE-2025-52887: number of HTTP header fields not limited, which can lead to potential exhaustion of system memory (CVE-2025-52887, boo#1245414)

- version update to 0.20.1
  0.20.1 (CVE-2025-46728 [boo#1242777])
  * Add AF_UNIX support on windows #2115
  * Support zstd also via pkg-config #2121
  * Fix #2113
  * Fix "Unbounded Memory Allocation in Chunked/No-Length Requests"
  0.20.0
  * server_certificate_verifier extended to reuse built-in verifier #2064
  * Assertion failed when destroying httplib::Client
  * #2068
  * Spaces incorrectly allowed in header field names #2096
  * build(meson): copy MountTest.MultibytesPathName files #2098
  * Remove SSLInit #2102
  * Add zstd support #2088
  * Question the behavior of method read_content_without_length #2109
  * Crash when calling std::exit while server running or client requests in flight #2097
  0.19.0
  * Global timeout feature (same as "--max-time" curl option) #2034
  * Fix check for URI length to prevent incorrect HTTP 414 errors
  0.18.7
  * Potential memory corruption in stream_line_reader #2028

- version update to 0.18.6
  * Resolve #2033
  * Port/Address re-use #2011
  * Invalid Content-Length values should be rejected #2014
  * Feature request: ability to check if the connection is still alive #2017
  * Changed to use non-blocking socket in is_ssl_peer_could_be_closed (258992a)
  * Treat out-of-range last_pos as the end of the content #2009
  * fix:set_file_content with range request return 416. #2010
  * Fix HTTP Response Splitting Vulnerability (9c36aae)

- Update to 0.18.3:
  * Bug fixes:
    - Regression: Client keep-alive subsequent requests very slow #1997
    - 304 Not Modified response stalls until timeout #1998
- Update to 0.18.2:
  * Bug fixes:
    - Fix the problem that CreateFile2 in mmap::open fails to... #1973
    - Default Accept-Encoding header for the client #1975
    - SSLClientReconnection fails on Windows #1980
    - delay in keep_alive due to sleep #1969
    - missing query pararm in httplib::Client::send #1985

- Update to 0.18.1:
  * SSLClientServerTest.* tests fail with OpenSSL 3.2.1 (#1798)
  * Feat: add CPack support (#1950)
  * Keep alive is slowing down shutdown (#1959)
  * Allow empty header values (#1965)

- update to 0.18.0:
  * httplib.h: support LibreSSL
  * Nice way to call "handle_file_request" from user code
  * How to diagnose the infamous read error 4
  * Made default server and client read/write timeout settings separately
  * Slow performance caused by get_remote_ip_and_port and get_local_ip_and_port
  * Provides a way to ignore host verify
  * add API support for verify certificate manually
- update to 0.17.3:
  * Accessing Directory
  * constexpr error
  * Only match path params that span full path segment
  * Fix KeepAliveTest.SSLClientReconnectionPost problem
- update to 0.17.2:
  * Fix incorrect handling of Expect: 100-continue
  * Peformance improvement by removing tolower function call
- update to 0.17.1:
  * Header parser incorrectly accepts NUL and CR within header values
  * Fix problem with Abstract Namespace Unix Domain
  * Fix SIGINT problem in Docker image
- update to 0.17.0:
  * Changed CPPHTTPLIB_KEEPALIVE_MAX_COUNT to 100
  * Add Dockerfile for static file server
  * Breaking Change!: get_header_ methods on Request and Response now take
  * Add sleep in handle_EINTR
  * Added set_ipv6_v6only method
  * impossible to shut down the server safely
  * Performance: reserve body to avoid frequent reallocations and copies
- update to 0.16.3:
  * Fixed set_connection_timeout() unexpected results
  * Fix KeepAliveTest.SSLClientReconnectionPost
- update to 0.16.2:
  * threadsafe CLOEXEC on platforms that support it
  * BoringSSL compatibility fixes
- update to 0.16.1:
  * detail::is_socket_alive() is not work for https connection
  * avoid memory leaks if linked with static openssl libs
  * Allow hex for ipv6 literal addr in redirect
  * Fix build on Windows with no WINAPI_PARTITION_APP support
  * test: fix GetRangeWithMaxLongLength on 32 bit machines
  * Require a minimum of TLS 1.2
- update to 0.16.0:
  * Use final keyword for devirtualization
  * FindBrotli cleanup and fixes
  * client can't open the encrypted private key
  * build(meson): generate new test PEMs
  * Fix range parser when parsing too many ranges
  * fix: increase default receive buffer to 16kb
  * Removed excess usage of std::move
  * Merge branch 'HerrCai0907-fix'
  * Highlight notes using markdown features
  * Added progress to POST, PUT, PATCH and DELETE requests
  * Tweak CI and fix macOS prefix
  * New function SSLServer::update_certs. Allows to update certificates while server is running
  * Change library name to cpp-httplib
- update to 0.15.3:
  * Breaking change in handling requests with Range in v0.15.1 and v0.15.2
- update to 0.15.2:
  * Severe directory traversal vulnerability (dotdotslash)

- Update to version 0.15.1: 
  * Malicious requests for many overlapping byte ranges of large files risk OOM #1766
  * Add missing #include for strcasecmp #1744
  * ThreadPool: optional limit for jobs queue (#1741)
  * Fix #1628 (OpenSSL 1.1.1 End of Life on September 11, 2023)
  * Fix Windows std::max macro problem #1750
  * Fix select() return code for fd >= 1024 (#1757)
  * Add a getter for a bearer token from a request (#1755)
  * Support move semantics for Response::set_content() (#1764)
  * Treat paths with embedded NUL bytes as invalid (#1765)
  * Fix usage of rand() is not seeded and depends on seeding by parent program #1747
  * Fix check request range and fix response Content-Range. #1694
  * Fix: Query parameter including query delimiter ('?') not being parsed properly (#1713)
  * Fix #1736
  * Fix #1665
  * Change some of status messages based on RFC 9110 (#1740)
  * Add StatusCode enum (#1739)
  * Fix #1738
  * Fix #1685
  * Fix #1724
  * Add optional user defined header writer #1683
  * Fix CPPHTTPLIB_ALLOW_LF_AS_LINE_TERMINATOR (#1634)
  * Avoid a -Warray-bounds false positive in GCC 13. (#1639)
  * Fix #1638
  * Removed unnecessary CRLF at the end of multipart ranges data
  * Fix #1559
  * Use memory mapped file for static file server (#1632)
  * Fix #1519
  * Fix #1590 (#1630)
  * Fix #1619
  * Fix #1624
  * Compiler freezes on Debian 10 (buster) with GCC 8.3.0 #1613
  * Don't overwrite the last redirected location (#1589) # This is a breaking change.
  * Fix #1607
  * Add named path parameters parsing (Implements #1587) (#1608)
  * Result: allow default constructor (#1609)
  * Add support for zOS (#1581)
  * Provide a CMake option to disable C++ exceptions (#1580)
  * Load in-memory CA certificates (#1579)
References

Packages

cpp-httplib-0.20.1-bp156.2.9.1