Description
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.0, the ``write_headers`` function does not check for CR & LF characters in user supplied headers, allowing untrusted header value to escape header lines.
This vulnerability allows attackers to add extra headers, modify request body unexpectedly & trigger an SSRF attack. When combined with a server that supports http1.1 pipelining (springboot, python twisted etc), this can be used for server side request forgery (SSRF). Version 0.30.0 fixes this issue.
Published: 2026-01-01
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery via HTTP header injection
Action: Update Now
AI Analysis

Impact

The cpp-httplib library builds HTTP and HTTPS requests, and the bug originates from its write_headers function, which fails to sanitize carriage‑return and line‑feed characters in header values supplied by external actors. This flaw allows a malicious user to inject arbitrary header lines or fragment the request body, effectively manipulating the request payload. The weakness is classified as CWE‑93 and can enable server‑side request forgery, as well as unintended data leakage or service disruption when the library is used in environments that support HTTP/1.1 pipelining. Based on the CVE description, it is inferred that attackers can supply malicious header values over a network interface to exploit the library.

Affected Systems

yhirose’s cpp‑httplib is affected when used in any application prior to version 0.30.0. The library is distributed as a single header file, so all projects that include it without updating to the patched release are susceptible. Versions before 0.30.0 lack header validation in write_headers, which is required to address the injection vulnerability.

Risk and Exploitability

The severity score of 7.7 indicates a high impact, and the EPSS score of less than 1 % suggests that, as of the last assessment, exploitation is not widespread. The flaw appears to be remote; although the CVE description does not explicitly state the attack vector, it is inferred that an attacker can supply malicious header values over a network interface that the target application processes. Because the library is widely used in small to medium‑sized services, the potential for harm exists, but the current low EPSS and lack of a KEV listing mean that immediate exploitation is unlikely. Nonetheless, the risk remains significant for deployments that have not yet applied the 0.30.0 fix or that operate in environments supporting HTTP/1.1 pipelining, which can magnify the impact.

Generated by OpenCVE AI on April 18, 2026 at 19:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade cpp-httplib to version 0.30.0 or later.
  • Validate or strip CR and LF characters from any user‑supplied header values before calling write_headers.
  • Disable HTTP/1.1 pipelining in the server or application framework until the library can be patched.

Generated by OpenCVE AI on April 18, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 06 Jan 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:yhirose:cpp-httplib:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Yhirose
Yhirose cpp-httplib
Vendors & Products Yhirose
Yhirose cpp-httplib

Fri, 02 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 02 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N'}

threat_severity

Important

Thu, 01 Jan 2026 18:00:00 +0000

Type Values Removed Values Added
Description cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.0, the ``write_headers`` function does not check for CR & LF characters in user supplied headers, allowing untrusted header value to escape header lines. This vulnerability allows attackers to add extra headers, modify request body unexpectedly & trigger an SSRF attack. When combined with a server that supports http1.1 pipelining (springboot, python twisted etc), this can be used for server side request forgery (SSRF). Version 0.30.0 fixes this issue.
Title cpp-httplib has CRLF injection in http headers
Weaknesses CWE-93
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Yhirose Cpp-httplib
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-02T18:50:20.380Z

Reserved: 2025-12-29T03:00:29.274Z

Link: CVE-2026-21428

cve-icon Vulnrichment

Updated: 2026-01-02T18:50:14.604Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-01T18:15:41.057

Modified: 2026-01-06T18:20:44.533

Link: CVE-2026-21428

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-01T17:54:43Z

Links: CVE-2026-21428 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:30:08Z

Weaknesses