Oleksiioleksenko

**Name of the Vulnerable Software and Affected Versions** cpp-httplib versions prior to 0.43.4 **Description** A flaw in the `ChunkedDecoder::read payload()` function of the cpp-httplib library allows a remote attacker to cause a denial of service. The issue occurs because the library uses `std::strtoul()` to parse the chunk-size field of HTTP chunked transfer encoding. According to the C standard, `strtoul()` accepts leading minus signs and performs an unsigned wrap-around; for example, providing "-2" results in a value near the maximum possible unsigned long. While the library rejects the specific result of "-1" (ULONG MAX), other negative values pass validation and are stored in the `chunk remaining` variable. This leads to unbounded memory allocation and a subsequent process crash as the server's read loop attempts to consume an excessive amount of data from the network. **Recommendations** Update to version 0.43.4.