The vulnerability exists in cpp-httplib versions prior to 0.37.2. When a client is configured to use a proxy and automatic redirect following is enabled, any HTTPS redirect it follows will have TLS certificate and hostname verification silently disabled on the new connection. The client accepts any certificate presented by the redirect target, including expired, self-signed, or forged certificates, without raising an error or notifying the application. This flaw, classified as CWE-295, allows an attacker controlling the network to intercept the subsequent HTTPS connection and capture or tamper with credentials or session tokens in transit.

The affected product is the yhirose:cpp-httplib library for all releases before 0.37.2. Any application that uses this header‑only library, configures a proxy, and enables set_follow_location(true) is at risk. The vulnerability is fixed starting with version 0.37.2.

The CVSS base score of 8.7 indicates high severity. The EPSS score is lower than 1% and the vulnerability is not listed in the CISA KEV catalog, suggesting a relatively low probability of current exploitation. The likely attack vector requires an attacker to control the network path to deliver a malicious redirect response; upon success, confidentiality and integrity of the redirected HTTPS traffic are compromised, allowing full interception or tampering.