Description
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.44.0, when cpp-httplib's server parses an incoming request, it applies percent-decoding to every header value except Location and Referer. The validity check (is_field_value) is run before decoding, so encoded %0D%0A passes the check and is then expanded to a literal \r\n byte pair inside the stored header value. This vulnerability is fixed in 0.44.0.
Published: 2026-05-29
Score: 9.9 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Prior to version 0.44.0, the cpp‑httplib library performed percent‑decoding of all HTTP header values (excluding Location and Referer) after a basic validity check. This allowed encoded sequences such as %0D%0A to pass the check, resulting in literal carriage‑return and line‑feed bytes being injected into stored header values. The injected CRLF characters can then be used to split HTTP responses, enabling attackers to forge or manipulate response headers, potentially facilitating session fixation, redirects, or other unauthorized actions.

Affected Systems

The vulnerability affects any deployment that uses the yhirose:cpp‑httplib library, any version before 0.44.0. The library is a C++11 header‑only HTTP/HTTPS client and server library used in many projects across platforms. Any application embedding that library as a server component is susceptible.

Risk and Exploitability

The CVSS score of 9.9 indicates a critical‑level exploit with high impact. Although the EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, the attack can be performed remotely over the network by sending a specially crafted HTTP request to a server that uses the vulnerable library. Successful exploitation leads to HTTP header injection and potential response‑splitting attacks. The lack of an EPSS value does not diminish the inherent severity; organizations should treat this as a high‑risk issue until the library is updated.

Generated by OpenCVE AI on May 29, 2026 at 21:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade cpp-httplib to version 0.44.0 or newer.
  • If an upgrade is not immediately possible, modify the server implementation to disable percent‑decoding of header values or introduce custom validation that rejects CRLF characters after decoding.
  • Configure external web‑servers or reverse proxies to reject HTTP requests containing CRLF sequences in header values.

Generated by OpenCVE AI on May 29, 2026 at 21:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Yhirose
Yhirose cpp-httplib
Vendors & Products Yhirose
Yhirose cpp-httplib

Fri, 29 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.44.0, when cpp-httplib's server parses an incoming request, it applies percent-decoding to every header value except Location and Referer. The validity check (is_field_value) is run before decoding, so encoded %0D%0A passes the check and is then expanded to a literal \r\n byte pair inside the stored header value. This vulnerability is fixed in 0.44.0.
Title cpp-httplib: HTTP header value percent-decoding in server-side `parse_header` enables CRLF injection
Weaknesses CWE-444
CWE-93
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L'}

Subscriptions

Yhirose Cpp-httplib
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-29T19:21:12.313Z

Reserved: 2026-05-12T00:51:29.086Z

Link: CVE-2026-45372

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-29T20:16:26.473

Modified: 2026-05-29T20:23:08.683

Link: CVE-2026-45372

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T21:30:06Z

Weaknesses