CVE-2025-46728: 
Homebrew vulnerability analysis and mitigation

cpp-httplib, a C++11 single-file header-only cross-platform HTTP/HTTPS server and client library, contains a vulnerability tracked as CVE-2025-46728. The vulnerability was discovered and disclosed on May 5, 2025, affecting versions 0.20.0 and earlier. The issue lies in the library's failure to enforce configured size limits on incoming request bodies when Transfer-Encoding: chunked is used or when no Content-Length header is provided (GitHub Advisory).

The vulnerability stems from the readcontentchunked function, which continuously reads incoming chunks without limiting the total accumulated size. When processing HTTP chunked transfers, the server fails to enforce size limits during the parsing of request bodies. The issue is particularly critical when handling requests with Transfer-Encoding: chunked or those lacking a Content-Length header. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating network accessibility with low attack complexity and no required privileges or user interaction (GitHub Advisory, Security Online).

The vulnerability can lead to severe consequences including Denial of Service (DoS) where the server process consumes excessive memory until it crashes or becomes unresponsive. In multi-tenant systems, this can result in resource exhaustion, potentially impacting other applications by consuming system resources (GitHub Advisory, Security Online).

The primary mitigation is to update to the patched version 0.20.1, which enforces limits during parsing and terminates connections immediately if limits are exceeded. For users unable to update immediately, a temporary workaround involves deploying a reverse proxy (such as Nginx or HAProxy) in front of the cpp-httplib application and configuring it to enforce maximum request body size limits (GitHub Advisory).