Description
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.39.0, the cpp-httplib HTTP client forwards stored Basic Auth, Bearer Token, and Digest Auth credentials to arbitrary hosts when following cross-origin HTTP redirects (301/302/307/308). A malicious or compromised server can redirect the client to an attacker-controlled host, which then receives the plaintext credentials in the `Authorization` header. Version 0.39.0 fixes the issue.
Published: 2026-03-27
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Credential Exposure
Action: Apply Patch
AI Analysis

Impact

The cpp-httplib HTTP client forwards Basic Auth, Bearer token, and Digest credentials to any host when following cross‑origin redirects (301, 302, 307, 308). This behavior allows an attacker who controls the redirect target to receive credentials sent in the Authorization header, potentially compromising authenticated sessions. The flaw falls under an information‑exposure weakness.

Affected Systems

The issue affects the yhirose:cpp‑httplib library in all releases older than 0.39.0. Projects that include the library as a header‑only dependency are at risk unless they have upgraded to the patched version. The library’s single‑file nature means a simple inclusion of an old header can expose applications.

Risk and Exploitability

The CVSS score of 7.4 indicates high severity. No public exploitation reports are recorded and the vulnerability is not yet present in the CISA Known Exploited Vulnerabilities catalog, suggesting limited known usage. Nevertheless, any client communicating with a server that can issue a malicious redirect can be tricked into leaking credentials. The attack vector is a remote network attack relying on HTTP redirects, and the risk is significant for applications that rely on secure authentication.

Generated by OpenCVE AI on March 27, 2026 at 06:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update cpp-httplib to version 0.39.0 or later
  • Rebuild applications and dependent libraries to use the patched version
  • If an upgrade is infeasible, configure the client to reject redirects to different origins or disable automatic redirection handling

Generated by OpenCVE AI on March 27, 2026 at 06:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Yhirose
Yhirose cpp-httplib
Vendors & Products Yhirose
Yhirose cpp-httplib

Fri, 27 Mar 2026 04:00:00 +0000

Type Values Removed Values Added
Description cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.39.0, the cpp-httplib HTTP client forwards stored Basic Auth, Bearer Token, and Digest Auth credentials to arbitrary hosts when following cross-origin HTTP redirects (301/302/307/308). A malicious or compromised server can redirect the client to an attacker-controlled host, which then receives the plaintext credentials in the `Authorization` header. Version 0.39.0 fixes the issue.
Title cpp-httplib Client Leaks Authentication Credentials to Untrusted Hosts on Cross-Origin HTTP Redirect
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Yhirose Cpp-httplib
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T00:46:48.941Z

Reserved: 2026-03-23T17:34:57.562Z

Link: CVE-2026-33745

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-27T01:16:21.167

Modified: 2026-03-27T01:16:21.167

Link: CVE-2026-33745

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:22:27Z

Weaknesses