CVE-2025-52887: 
Homebrew vulnerability analysis and mitigation

CVE-2025-52887 affects cpp-httplib, a C++11 single-file header-only cross platform HTTP/HTTPS library. The vulnerability was discovered in version 0.21.0 and disclosed on June 25, 2025. The issue occurs when multiple HTTP header fields are passed in, as the library does not limit the number of headers, and the memory associated with the headers is not released when the connection is disconnected (GitHub Advisory).

The vulnerability exists in the readheaders function which only limits the size of each header but does not limit the total length of all headers or the number of headers. An attacker can maintain a connection and send an unlimited amount of header fields without sending consecutive \r\n\r\n, forcing unlimited memory allocation to the unorderedmultimap type headers. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The issue is classified as CWE-400 (Uncontrolled Resource Consumption) (GitHub Advisory).

The vulnerability can lead to Denial of Service (DoS) where the server process will consume excessive memory until it crashes or becomes unresponsive. On multi-tenant systems, this can impact other applications by consuming system resources. The vulnerability affects the server before request routing is completed and does not require authentication (GitHub Advisory).

The vulnerability has been patched in version 0.22.0 of cpp-httplib. The fix implements a header count limit to prevent unlimited memory allocation. Users are advised to upgrade to version 0.22.0 or later to address this security issue (GitHub Advisory, GitHub Commit).