Description
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.40.0, cpp-httplib is vulnerable to HTTP Request Smuggling. The server's static file handler serves GET responses without consuming the request body. On HTTP/1.1 keep-alive connections, the unread body bytes remain on the TCP stream and are interpreted as the start of a new HTTP request. An attacker can embed an arbitrary HTTP request inside the body of a GET request, which the server processes as a separate request. This issue has been patched in version 0.40.0.
Published: 2026-03-31
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: HTTP Request Smuggling
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in the cpp‑httplib library causes the static file handler to return GET responses without consuming the request body. When a keep‑alive connection is used, the unread body bytes remain on the TCP stream and are later interpreted as the start of a new HTTP request. An attacker can embed an arbitrary HTTP request inside the body of a GET request, which the server processes as a separate request. This flaw results in HTTP Request Smuggling, allowing unintended request handling by the server.

Affected Systems

The issue affects any installation of the yhirose:cpp‑httplib library prior to version 0.40.0. The library is a C++11 single-file header‑only cross‑platform HTTP/HTTPS library that may be used in custom web servers or backend services handling HTTP or HTTPS traffic.

Risk and Exploitability

The CVSS score of 4.8 classifies the vulnerability as moderate severity. With an EPSS score below 1% and no listing in the CISA KEV catalog, the likelihood of widespread exploitation appears low. The attack vector is remote; an adversary only needs to send a crafted HTTP request over a keep‑alive connection, without requiring authentication or elevated privileges. The vulnerability stems solely from improper consumption of the request body by the library’s static file handler.

Generated by OpenCVE AI on April 2, 2026 at 05:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade cpp‑httplib to version 0.40.0 or newer

Generated by OpenCVE AI on April 2, 2026 at 05:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Yhirose
Yhirose cpp-httplib
CPEs cpe:2.3:a:yhirose:cpp-httplib:*:*:*:*:*:*:*:*
Vendors & Products Yhirose
Yhirose cpp-httplib

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.40.0, cpp-httplib is vulnerable to HTTP Request Smuggling. The server's static file handler serves GET responses without consuming the request body. On HTTP/1.1 keep-alive connections, the unread body bytes remain on the TCP stream and are interpreted as the start of a new HTTP request. An attacker can embed an arbitrary HTTP request inside the body of a GET request, which the server processes as a separate request. This issue has been patched in version 0.40.0.
Title cpp-httplib: HTTP Request Smuggling via Unconsumed GET Request Body
Weaknesses CWE-444
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Yhirose Cpp-httplib
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T15:53:07.782Z

Reserved: 2026-03-27T18:18:14.894Z

Link: CVE-2026-34441

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T22:16:19.177

Modified: 2026-04-01T20:28:01.840

Link: CVE-2026-34441

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:10:26Z

Weaknesses