Alerts This Week
Warning Icon 1 1,149
Alerts This Week
Warning Icon 1 1,149

Fedora 44 cpp-httplib Major DoS Vulnerability with Potential Code Execution

fedora
Calendar Grey July 2, 2026
Dist Fedora Esm H88
Fedora 44's cpp-httplib update addresses critical security issues, enhancing application security against potential attacks.
Update to 0.48.0 (rhbz#2481109) Security fixes Complete the IP-host certificate identity fix from v0.47.0 for the Mbed TLS and wolfSSL backends

Summary

A C++11 single-file header-only cross platform HTTP/HTTPS library.

It's extremely easy to setup. Just include the httplib.h file in your code!

Update Information:

Update to 0.48.0 (rhbz#2481109) Security fixes Complete the IP-host certificate identity fix from v0.47.0 for the Mbed TLS and wolfSSL backends. An IP-literal host is now authenticated only via a matching iPAddress SAN, never via the certificate's Common Name (RFC 9110) — matching what the OpenSSL backend already enforces through X509_check_ip. Previously these backends fell back to the CN when no IP SAN matched, and recognized IPv4 only; now IPv6 (16-byte) iPAddress SANs are matched as well, and the CN fallback is skipped for both IPv4 and IPv6 literal hosts (#2476) Improvements Replace the strtod-based from_chars for double with a hand-written, locale-independent parser. The only double parsed by the library is the HTTP quality value; strtod reads the decimal separator from the global C locale, so an embedder calling setlocale(LC_ALL, "") into a comma-decimal locale would mis-parse q-values. The new parser always treats . as the decimal separator and is allocation-free (Fix #247...

Read the Full Advisory

Change Log

* Wed Jun 24 2026 Petr Menšík - 0.48.0-1 - Update to 0.48.0 (rhbz#2481109) * Wed Jun 24 2026 Petr Menšík - 0.47.0-1 - Update to 0.47.0 (rhbz#2481109, CVE-2026-46527, CVE-2026-45372, CVE-2026-45352) * Tue May 19 2026 Petr Menšík - 0.45.0-1 - Update to 0.45.0 (rhbz#2450591) * Fri Mar 27 2026 Petr Menšík - 0.39.0-1 - Update to 0.39.0 (rhbz#2450591) * Fri Mar 27 2026 Petr Menšík - 0.38.0-3 - Record upstream tag format in spec * Mon Mar 23 2026 Petr Menšík - 0.38.0-2 - Helper definitions of upstream and signed files

References


[ 1 ] Bug #2452170 - CVE-2026-33745 cpp-httplib: cpp-httplib: Information disclosure of credentials via cross-origin HTTP redirects [fedora-43] https://bugzilla.redhat.com/show_bug.cgi?id=2452170 [ 2 ] Bug #2481109 - cpp-httplib-0.48.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2481109 [ 3 ] Bug #2483726 - CVE-2026-46527 cpp-httplib: cpp-httplib: Denial of Service via malformed X-Forwarded-For header [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2483726 [ 4 ] Bug #2483733 - CVE-2026-45372 cpp-httplib: cpp-httplib: Arbitrary code execution via improper HTTP header processing [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2483733 [ 5 ] Bug #2483736 - CVE-2026-45352 cpp-httplib: cpp-httplib: Denial of Service due to unbounded memory allocation via negative chunk-size [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2483736

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-1b15ac058b' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

Severity
critical
Lowest
Low
Medium
High
Critical

Name: cpp-httplib
Product: Fedora 44
Version: 0.48.0
Release: 1.fc44
Summary: A C++11 single-file header-only cross platform HTTP/HTTPS library

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here