Description
C++ HTTP Server is an HTTP/1.1 server built to handle client connections and serve HTTP requests. Versions 1.0 and below are vulnerable to Path Traversal via the RequestHandler::handleRequest method. This flaw allows an unauthenticated, remote attacker to read arbitrary files from the server's filesystem by crafting a malicious HTTP GET request containing ../ sequences. The application fails to sanitize the filename variable derived from the user-controlled URL path, directly concatenating it to the files_directory base path and enabling traversal outside the intended root. No patch was available at the time of publication.
Published: 2026-01-24
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote attacker can read arbitrary files through path traversal
Action: Monitor
AI Analysis

Impact

C++ HTTP Server accepts HTTP/1.1 requests and serves files from a configured directory. A flaw in RequestHandler::handleRequest fails to sanitize the filename derived from the URL path, allowing a malicious client to craft a GET request containing "../" sequences. The vulnerability is a classic directory traversal (CWE-22) that permits an unauthenticated, remote attacker to read any file on the server’s filesystem beyond the intended root, potentially exposing configuration files, credentials, or sensitive data. The impact is confidentiality compromise by remote arbitrary file read.

Affected Systems

The problem affects the open‑source http‑server project from frustratedProton, specifically all releases version 1.0 and earlier. Any deployment of these versions exposing the HTTP interface is vulnerable until a patch or mitigative change is applied.

Risk and Exploitability

The CVSS base score of 7.5 reflects high impact and medium exploitation difficulty; the EPSS score of less than 1% suggests that, at the moment, exploitation attempts are rare, and the vulnerability is not currently listed in the CISA KEV catalog. An attacker can trigger the flaw remotely without authentication by sending a crafted GET request that includes path‑traversal sequences. Success hinges on the server running an affected version and the network being accessible, so perimeter defenses and IP restrictions reduce the attack surface.

Generated by OpenCVE AI on April 18, 2026 at 02:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Block HTTP GET requests containing "../" segments using a web application firewall or reverse‑proxy rule to reject such patterns.
  • Restrict inbound access to the http-server instance to trusted IP ranges, limiting unauthenticated exposure.
  • Plan for an upgrade to a version newer than 1.0 once the vendor releases a patch; if an update is not feasible, consider placing the server in a sandboxed environment (e.g., chroot or container) to constrain filesystem visibility.

Generated by OpenCVE AI on April 18, 2026 at 02:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 26 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Frustratedproton
Frustratedproton http-server
Vendors & Products Frustratedproton
Frustratedproton http-server

Sat, 24 Jan 2026 02:45:00 +0000

Type Values Removed Values Added
Description C++ HTTP Server is an HTTP/1.1 server built to handle client connections and serve HTTP requests. Versions 1.0 and below are vulnerable to Path Traversal via the RequestHandler::handleRequest method. This flaw allows an unauthenticated, remote attacker to read arbitrary files from the server's filesystem by crafting a malicious HTTP GET request containing ../ sequences. The application fails to sanitize the filename variable derived from the user-controlled URL path, directly concatenating it to the files_directory base path and enabling traversal outside the intended root. No patch was available at the time of publication.
Title C++ HTTP Server has Critical Path Traversal Vulnerability in RequestHandler Allowing Arbitrary File Read
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Frustratedproton Http-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-26T16:17:09.316Z

Reserved: 2026-01-23T00:38:20.546Z

Link: CVE-2026-24469

cve-icon Vulnrichment

Updated: 2026-01-26T16:16:32.174Z

cve-icon NVD

Status : Deferred

Published: 2026-01-24T03:16:01.150

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24469

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T03:00:10Z

Weaknesses