CVE-2020-11709

The CVE-2020-11709 issue affects the cpp-httplib library prior to 0.12.4, where CRLF injection is possible because input is not filtered when setting the Content-Type header in HTTP requests created by Patch, Post, Put, or Delete. The vulnerability arises in untrusted input used to influence head...

CVE-2025-0825

CVE-2025-0825 affects the C++ header-only library cpp-httplib, where versions v0.17.3 through v0.18.3 do not filter CRLF characters when preceded by a null byte. The underlying issue enables CRLF injection, which could lead to HTTP Response Splitting and related risks (e.g., XSS) as described in ...

CVE-2025-53628

cpp-httplib before 0.20.1 is vulnerable to HTTP header smuggling due to insecure trailers merge (CVE-2025-53628). Public advisories note the fix is in 0.20.1. OpenSUSE/SUSE advisories across platforms reference this CVE and provide a version-0.20.1 upgrade as remediation. No exploit details are p...

CVE-2026-28435

CVE-2026-28435 affects the cpp-httplib single-file header-only library. Before 0.35.0, the library does not enforce a payload max length on decompressed request bodies when using HandlerWithContentReader with Content-Encoding: gzip (or other encodings). A small compressed payload can expand beyon...

CVE-2026-45352

The CVE-2026-45352 issue affects cpp-httplib (header-only HTTP/HTTPS library). Before version 0.43.4, the ChunkedDecoder::read_payload routine parses the chunk-size in chunked Transfer-Encoding with std::strtoul(), which can silently accept a minus sign. This allows negative chunk sizes (e.g., "-...

CVE-2025-52887

cpp-httplib (C++11 single-file header-only library) is affected by CVE-2025-52887 in version 0.21.0 where there is no limit on the number of HTTP header fields and header memory is not released on disconnect, potentially exhausting system memory and causing server crash or unresponsiveness. Remed...

CVE-2026-45372

In cpp-httplib, prior to version 0.44.0, the server-side header parsing in parse_header applies percent-decoding to header values (except Location and Referer) after validating the pre-decoded string. The validity check (is_field_value) runs before decoding, allowing an encoded %0D%0A to bypass c...

CVE-2025-53629

CVE-2025-53629 affects cpp-httplib (C++11 single-file header-only HTTP/HTTPS library). Prior to version 0.23.0, handling of incoming requests with Transfer-Encoding: chunked could allocate memory arbitrarily on the server, risking memory exhaustion. The vulnerability is fixed in 0.23.0. Related C...

CVE-2026-21428

CVE-2026-21428 affects cpp-httplib (C++11 single-file header-only library). The vulnerability is in write_headers: it does not validate CR/LF in user-supplied header values, enabling injection of extra headers, potential tampering with the request body, and SSRF when paired with servers supportin...

CVE-2025-66570

cpp-httplib is affected by CVE-2025-66570 through headers handling in httplib.h prior to 0.27.0. Attacker-controlled HTTP headers named REMOTE_ADDR, REMOTE_PORT, LOCAL_ADDR, LOCAL_PORT can be parsed into the request header multimap by read_headers(), then reused by Server::process_request, potent...

CVE-2026-29076

Affected software: cpp-httplib (C++11 single-file header-only HTTP/HTTPS library). The vulnerability occurs before version 0.37.0 where std::regex (libstdc++) is used to parse RFC 5987 encoded filename* values in multipart Content-Disposition headers. The regex engine’s backtracking can cause dee...

CVE-2026-32627

cpp-httplib before 0.37.2 is vulnerable when using a proxy and set_follow_location(true): HTTPS redirects can bypass TLS certificate and hostname verification on the redirected connection, allowing a network attacker to intercept credentials or tokens. The issue is fixed in 0.37.2.

CVE-2026-22776

CVE-2026-22776 affects cpp-httplib prior to 0.30.1. The DoS arises from unsafe handling of compressed HTTP request bodies (Content-Encoding: gzip, br, etc.); the implementation validates payload_max_length against the compressed data size but does not cap the decompressed data in memory. This can...

CVE-2026-46527

cpp-httplib (C++11 header-only library) before 0.44.0 is vulnerable when Server::set_trusted_proxies() is used with a non-empty trusted-proxy list. An attacker can send an HTTP request with an X-Forwarded-For header that parses to no valid IP segments. The code path then calls get_client_ip(), wh...

CVE-2026-31870

cpp-httplib prior to 0.37.1 uses streaming API (httplib::stream::Get, httplib::stream::Post, etc.) and directly calls std::stoull on the Content-Length header without validation, causing unhandled exceptions and a deterministic crash via std::terminate() when a non-numeric or out-of-range value i...

CVE-2025-66577

cpp-httplib (C++11 single-file header) contains CVE-2025-66577. The issue arises from unconditional acceptance of client-controlled headers (X-Forwarded-For, X-Real-IP) in get_client_ip() within docker/main.cc, allowing spoofed client IPs to influence server-visible metadata, logging, and authori...

CVE-2026-28434

The CVE affects cpp-httplib (C++11 single-file header-only library). Before 0.35.0, if a request handler throws an exception and no custom exception handler is registered via set_exception_handler(), the library writes the exception message into the HTTP response header EXCEPTION_WHAT and sends i...

CVE-2026-33745

The CVE affects cpp-httplib (a C++11 single-file header-only HTTP/HTTPS library). Before 0.39.0, the HTTP client forwards stored Basic Auth, Bearer Token, and Digest Auth credentials to arbitrary hosts when following cross-origin redirects (301/302/307/308). A malicious or compromised server can ...

CVE-2026-34441

cpp-httplib (C++11 single-file header-only HTTP/HTTPS library) is vulnerable to HTTP Request Smuggling prior to version 0.40.0. The server’s static file handler serves GET responses without consuming the request body, so on HTTP/1.1 keep-alive connections unread body bytes remain on the TCP strea...