Lucene search
K

16 matches found

CVE
CVE
added 2025/07/10 7:45 p.m.51 views

CVE-2025-53628

cpp-httplib before 0.20.1 is vulnerable to HTTP header smuggling due to insecure trailers merge (CVE-2025-53628). Public advisories note the fix is in 0.20.1. OpenSUSE/SUSE advisories across platforms reference this CVE and provide a version-0.20.1 upgrade as remediation. No exploit details are p...

8.8CVSS6.2AI score0.00442EPSS
CVE
CVE
added 2026/03/04 7:36 p.m.39 views

CVE-2026-28435

CVE-2026-28435 affects the cpp-httplib single-file header-only library. Before 0.35.0, the library does not enforce a payload max length on decompressed request bodies when using HandlerWithContentReader with Content-Encoding: gzip (or other encodings). A small compressed payload can expand beyon...

7.5CVSS5.7AI score0.00418EPSS
CVE
CVE
added 2026/05/29 7:14 p.m.32 views

CVE-2026-45352

The CVE-2026-45352 issue affects cpp-httplib (header-only HTTP/HTTPS library). Before version 0.43.4, the ChunkedDecoder::read_payload routine parses the chunk-size in chunked Transfer-Encoding with std::strtoul(), which can silently accept a minus sign. This allows negative chunk sizes (e.g., "-...

7.5CVSS5.7AI score0.00327EPSS
CVE
CVE
added 2026/01/01 5:54 p.m.31 views

CVE-2026-21428

CVE-2026-21428 affects cpp-httplib (C++11 single-file header-only library). The vulnerability is in write_headers: it does not validate CR/LF in user-supplied header values, enabling injection of extra headers, potential tampering with the request body, and SSRF when paired with servers supportin...

8.7CVSS6.4AI score0.00372EPSS
CVE
CVE
added 2026/03/31 9:21 p.m.30 views

CVE-2026-34441

cpp-httplib (C++11 single-file header-only HTTP/HTTPS library) is vulnerable to HTTP Request Smuggling prior to version 0.40.0. The server’s static file handler serves GET responses without consuming the request body, so on HTTP/1.1 keep-alive connections unread body bytes remain on the TCP strea...

6.5CVSS5.7AI score0.00196EPSS
CVE
CVE
added 2025/07/10 7:46 p.m.28 views

CVE-2025-53629

CVE-2025-53629 affects cpp-httplib (C++11 single-file header-only HTTP/HTTPS library). Prior to version 0.23.0, handling of incoming requests with Transfer-Encoding: chunked could allocate memory arbitrarily on the server, risking memory exhaustion. The vulnerability is fixed in 0.23.0. Related C...

7.5CVSS6.3AI score0.00505EPSS
CVE
CVE
added 2026/03/07 4:8 p.m.28 views

CVE-2026-29076

Affected software: cpp-httplib (C++11 single-file header-only HTTP/HTTPS library). The vulnerability occurs before version 0.37.0 where std::regex (libstdc++) is used to parse RFC 5987 encoded filename* values in multipart Content-Disposition headers. The regex engine’s backtracking can cause dee...

5.9CVSS5.6AI score0.00602EPSS
CVE
CVE
added 2026/05/29 7:21 p.m.28 views

CVE-2026-45372

In cpp-httplib, prior to version 0.44.0, the server-side header parsing in parse_header applies percent-decoding to header values (except Location and Referer) after validating the pre-decoded string. The validity check (is_field_value) runs before decoding, allowing an encoded %0D%0A to bypass c...

9.9CVSS5.6AI score0.00295EPSS
CVE
CVE
added 2026/03/13 8:48 p.m.26 views

CVE-2026-32627

cpp-httplib before 0.37.2 is vulnerable when using a proxy and set_follow_location(true): HTTPS redirects can bypass TLS certificate and hostname verification on the redirected connection, allowing a network attacker to intercept credentials or tokens. The issue is fixed in 0.37.2.

8.7CVSS5.6AI score0.00179EPSS
CVE
CVE
added 2026/03/27 12:46 a.m.26 views

CVE-2026-33745

The CVE affects cpp-httplib (a C++11 single-file header-only HTTP/HTTPS library). Before 0.39.0, the HTTP client forwards stored Basic Auth, Bearer Token, and Digest Auth credentials to arbitrary hosts when following cross-origin redirects (301/302/307/308). A malicious or compromised server can ...

7.4CVSS5.6AI score0.00262EPSS
CVE
CVE
added 2025/12/05 6:18 p.m.25 views

CVE-2025-66570

cpp-httplib is affected by CVE-2025-66570 through headers handling in httplib.h prior to 0.27.0. Attacker-controlled HTTP headers named REMOTE_ADDR, REMOTE_PORT, LOCAL_ADDR, LOCAL_PORT can be parsed into the request header multimap by read_headers(), then reused by Server::process_request, potent...

10CVSS6.7AI score0.00302EPSS
CVE
CVE
added 2026/01/12 6:18 p.m.25 views

CVE-2026-22776

CVE-2026-22776 affects cpp-httplib prior to 0.30.1. The DoS arises from unsafe handling of compressed HTTP request bodies (Content-Encoding: gzip, br, etc.); the implementation validates payload_max_length against the compressed data size but does not cap the decompressed data in memory. This can...

8.7CVSS6.3AI score0.00353EPSS
CVE
CVE
added 2026/05/29 7:18 p.m.25 views

CVE-2026-46527

cpp-httplib (C++11 header-only library) before 0.44.0 is vulnerable when Server::set_trusted_proxies() is used with a non-empty trusted-proxy list. An attacker can send an HTTP request with an X-Forwarded-For header that parses to no valid IP segments. The code path then calls get_client_ip(), wh...

8.7CVSS5.7AI score0.00327EPSS
CVE
CVE
added 2026/03/11 5:57 p.m.22 views

CVE-2026-31870

cpp-httplib prior to 0.37.1 uses streaming API (httplib::stream::Get, httplib::stream::Post, etc.) and directly calls std::stoull on the Content-Length header without validation, causing unhandled exceptions and a deterministic crash via std::terminate() when a non-numeric or out-of-range value i...

7.5CVSS5.7AI score0.00453EPSS
CVE
CVE
added 2025/12/05 6:20 p.m.19 views

CVE-2025-66577

cpp-httplib (C++11 single-file header) contains CVE-2025-66577. The issue arises from unconditional acceptance of client-controlled headers (X-Forwarded-For, X-Real-IP) in get_client_ip() within docker/main.cc, allowing spoofed client IPs to influence server-visible metadata, logging, and authori...

5.3CVSS6.3AI score0.00236EPSS
CVE
CVE
added 2026/03/04 7:34 p.m.18 views

CVE-2026-28434

The CVE affects cpp-httplib (C++11 single-file header-only library). Before 0.35.0, if a request handler throws an exception and no custom exception handler is registered via set_exception_handler(), the library writes the exception message into the HTTP response header EXCEPTION_WHAT and sends i...

5.3CVSS5.7AI score0.003EPSS