CRITICAL🇵🇱 Wersja polska

CVE-2026-45372

CVSS 9.9v3.1pub. 2026-05-29upd. 2026-06-01

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.44.0, when cpp-httplib's server parses an incoming request, it applies percent-decoding to every header value except Location and Referer. The validity check (is_field_value) is run before decoding, so encoded %0D%0A passes the check and is then expanded to a literal \r\n byte pair inside the stored header value. This vulnerability is fixed in 0.44.0.

🤖 AI Analysis
How it works

A server based on cpp-httplib performs validation of request header values (is_field_value function) before performing percent-decoding. The encoded sequence %0D%0A passes validation without errors because in encoded form it does not contain forbidden characters. Then, after decoding, this sequence is expanded to a literal pair of bytes \r\n and written to the internal header structure. This allows an attacker to inject arbitrary headers or split HTTP responses (HTTP response splitting) through a crafted network request.

Impact

An unauthenticated attacker can manipulate HTTP response headers generated by the server, leading to high integrity violation, and potentially also to attacks such as cache poisoning, cross-site scripting, or server content spoofing.

Mitigation & patch

The cpp-httplib library should be updated to version 0.44.0 or later, in which the issue has been fixed by performing header validation after percent-decoding.

Who is affected

The cpp-httplib library (C++11 single-file header-only HTTP/HTTPS library) in versions prior to 0.44.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L
  • Yhirose Cpp Httplib

    APP
    Yhirose
    < 0.44.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-66570CRITICAL10.0PL ✓ten sam produkt

cpp-httplib: spoofing nagłówków HTTP umożliwia bypass autoryzacji i zatrucie logów

CVE-2026-46527HIGH8.7ten sam produkt

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.44.0, When the se...

CVE-2026-33745HIGH7.4ten sam produkt

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.39.0, the cpp-htt...

CVE-2026-32627HIGH8.7ten sam produkt

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.37.2, when a cpp-...

CVE-2026-31870HIGH7.5ten sam produkt

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.37.1, when a cpp-...