v0.45.0

What's Changed

Bug fixes

• Fix crash on empty / comma-only X-Forwarded-For when set_trusted_proxies() is configured. get_client_ip() previously called front() on a vector that was empty whenever the header tokenized to zero segments ("", ",", ", , ,"); it now returns an empty string so process_request() falls back to the connection-level remote address instead of crashing (5c92857)
• Fix keep-alive corruption on requests without a framed body (#2450). The post-response drain ran for any request that expect_content() accepted, so a method like DELETE /items/1 with no Content-Length and no Transfer-Encoding would, on a persistent connection, let read_content consume bytes belonging to the next pipelined request — making the second request appear to vanish. The drain now only runs when the request actually has a framed body (Content-Length or chunked). The non-SSL "stray-bytes → 413" payload-limit check is likewise limited to non-persistent connections, since on keep-alive any pending bytes may be the next request rather than an unframed body (91271c0)

Internal

• Extract detail::has_framed_body() and detail::is_connection_persistent() helpers used by the keep-alive fix above (d755c43)

v0.44.0

What's Changed

Breaking change (behavioral)

• Stop percent-decoding HTTP request header values. parse_header() previously applied decode_path_component() to every header value (except Location / Referer) after is_field_value() validation, so wire sequences like %0D%0A passed validation and expanded into literal CR/LF inside stored values — enabling response splitting, log injection, and proxy smuggling. %3D / %2C / %3B likewise flipped Cookie and X-Forwarded-For boundaries against WAFs inspecting the wire form. RFC 9110 §5.5 specifies header values as opaque octets, so the auto-decode (and the Location / Referer workarounds for the same misbehavior) has been removed. Applications that need URI semantics on a header value should now call decode_uri_component() or decode_path_component() on the result explicitly. Fixes the long-standing Referer-with-%0A issue (#2033) (fbb031e)

Bug fixes

• Make ThreadPool constructor exception-safe on partial thread creation. If std::thread construction throws partway through (e.g. pthread_create returns EAGAIN under thread-resource pressure), the partially-built threads_ vector would destruct joinable std::thread objects and call std::terminate(). The spawn loop now signals shutdown to the workers already created, joins them, and rethrows. Fix #2444 (#2445)

Tooling

• scripts/release.sh gains a --minor flag to force a minor bump even when abidiff reports no ABI break, for behavioral breaking changes like the header-decoding fix above (e8e6528)

v0.43.4

What's Changed

Security / bug fixes

• Reject malformed chunk-size in chunked decoder: strtoul silently accepted a leading - and wrapped via
  unsigned arithmetic, so chunk-size -2 produced ULONG_MAX-1, bypassing the ULONG_MAX guard and letting
  a client drive the server toward unbounded allocation. Replaced with a manual hex parser that requires at
  least one hex digit, detects size_t overflow per digit, and accepts only chunk-ext or end-of-line after
  the digits (RFC 9112 §7.1) (87d62db)
• Fix #2441: only invoke setarch on Linux in test/Makefile so the test build works on FreeBSD and other
  non-Linux systems where setarch is unavailable (a9bfe59)

CI / tests

• Use vswhere to locate the Visual Studio install in the 32-bit Windows CI workflow, so it keeps working
  as windows-latest migrates from VS 2022 to VS 2026 (#2442)
• Guard nullptr res in the KeepAliveTest proxy template so a transient upstream failure to
  httpbingo.org produces a clean test failure instead of a SEGV under ASan (#2443)

Full Changelog: v0.43.3...v0.43.4

v0.43.3

What's Changed

Bug fixes

• Fix OSS-Fuzz #508342856: cap Content-Length reservation by payload_max_length_ to prevent excessive memory allocation (2d2efe4)
• Fix OSS-Fuzz #508087118: avoid stack overflow in str2tag (92aecf8)

Fuzzing / tests

• Run all fuzzers via make fuzz_test (cae7534)
• Add OSS-Fuzz #508370122 reproducer to client_fuzzer corpus (b223e29)
• Make fuzz_test robust to missing corpus files (35c4026)
• Drop Str2tagTest unit test that broke split / -fno-exceptions builds (f6524c0)
• Document str2tag_core's compile-time-only role (40e1846)

Full Changelog: v0.43.2...v0.43.3

v0.43.2

What's Changed

• Reproducer test for #2431 (getaddrinfo_a use-after-free) by @yhirose in #2433
• Fix #2431: drop getaddrinfo_a path (stack-use-after-free) by @yhirose in #2436
• Add client fuzzing harness by @DavidKorczynski in #2437
• Fix #2435: allow mmap to open files held open for writing by @yhirose in #2438
• Re-enable getaddrinfo_a with worker-completion wait (#2431) by @yhirose in #2439

Full Changelog: v0.43.1...v0.43.2

v0.43.1

Full Changelog: v0.43.0...v0.43.1

v0.43.0

What's Changed

• Removed deprecated APIs by @yhirose in #2423
• fix: cast len to 64 bits before right shift in ws by @Tachi107 in #2426
• fix #2429 by @Kukodam in #2430
• Fix #2427 by @yhirose in #2428

New Contributors

• @Kukodam made their first contribution in #2430

Full Changelog: v0.42.0...v0.43.0

v0.42.0

What's Changed

• test: WebSocketIntegrationTest.SocketSettings: do not set AF_INET by @jirislaby in #2420

New Contributors

• @jirislaby made their first contribution in #2420

Full Changelog: v0.41.0...v0.42.0

v0.41.0

• Replace httplib::any / std::map<std::string, httplib::any> based res.user_data with a new type-safe UserData class that provides set() / get<T>() API by @yhirose (Fix #2416)
• Add parse_url utility function with UrlComponents struct for parsing URLs into scheme, host, port, path, and query components by @yhirose
• [cmake] Allow using pre-existing zstd::libzstd target if it already exists, useful for projects that bundle their own zstd by @crueter in #2390
• Add header parser and URL parser fuzzers for OSS-Fuzz coverage improvement by @DavidKorczynski in #2412

v0.40.0

• Optimize multipart content provider to coalesce small writes and reduce TCP packet fragmentation by
  @yhirose in #2410
• Add set_socket_opt function and corresponding test for TCP_NODELAY option by @yhirose in
  #2411
• Implement request body consumption and reject invalid Content-Length with Transfer-Encoding to prevent
  request smuggling by @yhirose
• Fixed warnings by @yhirose