GHSA-6MW6-MJ76-GRWC
9.885.00%
Heap of Trouble: Dissecting the Integer Overflow in LibHyperHTTP (CVE-2024-13337)
Alon Barad
Software EngineerJan 6, 2026·5 min read·3 visits
PoC Available
Executive Summary (TL;DR)
LibHyperHTTP, a popular embedded web server library, failed to validate header lengths before addition. By sending a header size close to `MAX_UINT`, attackers can wrap the integer counter, causing a tiny memory allocation followed by a massive `memcpy`. Result: Immediate heap corruption and RCE.
A critical integer overflow vulnerability in the LibHyperHTTP library allows remote attackers to trigger a heap buffer overflow via crafted HTTP headers, leading to potential Remote Code Execution (RCE).
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS Score
9.8/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HEPSS Probability
85.00%
Top 15% most exploited
15,000
Estimated exposed hosts via Shodan
Affected Systems
IoT Gateways using LibHyperHTTP < 2.4.1Embedded Web ServersIndustrial Control Panels
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
LibHyperHTTP HyperSource | < 2.4.1 | 2.4.1 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-190 (Integer Overflow or Wraparound) |
| Attack Vector | Network (AV:N) |
| Impact | Critical (Confidentiality, Integrity, Availability) |
| CVSS v3.1 | 9.8 |
| Exploit Status | Proof of Concept Available |
| EPSS Score | 0.85 (High Probability) |
MITRE ATT&CK Mapping
CWE-190
Integer Overflow or Wraparound
The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.
Known Exploits & Detection
Vulnerability Timeline
Vulnerability discovered by researchers
2024-02-10
Vendor notified via Responsible Disclosure
2024-02-15
Patch released (v2.4.1)
2024-03-15
PoC published
2024-03-20