Description
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.44.0, When the server has called Server::set_trusted_proxies() with a non-empty trusted-proxy list, an attacker can send an HTTP request that includes an X-Forwarded-For header whose value parses to no valid IP segments. The code path then executes get_client_ip(), which calls front() on an empty std::vector—undefined behavior in C++. On typical implementations this manifests as abnormal process termination (denial of service). With Sanitizers enabled, you get an explicit runtime diagnostic. This vulnerability is fixed in 0.44.0.
Published: 2026-05-29
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

cpp‑httplib allows an attacker to trigger a crash by sending a malformed X‑Forwarded‑For header when the server has been configured with trusted proxies. The library calls the front() method on a std::vector that is empty, which is undefined behavior in C++. On common implementations this results in abnormal process termination, effectively denying service to legitimate clients.

Affected Systems

The vulnerability affects the yhirose:cpp‑httplib library in all releases prior to 0.44.0. Any project integrating these older versions and enabling Server::set_trusted_proxies() is at risk.

Risk and Exploitability

The CVSS score is 8.7, indicating a high‑severity flaw. The EPSS score is not reported, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is inferred to be remote, requiring the attacker to send a crafted HTTP request to a target server that has configured trusted proxies.

Generated by OpenCVE AI on May 29, 2026 at 21:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade cpp‑httplib to version 0.44.0 or later.
  • If a trusted‑proxy list is required, replace Server::set_trusted_proxies() with a custom implementation that validates the X‑Forwarded‑For header and ensures the vector contains at least one valid IP segment before accessing front().
  • Review and update any downstream code that parses the X‑Forwarded‑For header to guard against empty vectors or otherwise malformed input.

Generated by OpenCVE AI on May 29, 2026 at 21:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Yhirose
Yhirose cpp-httplib
Vendors & Products Yhirose
Yhirose cpp-httplib

Fri, 29 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.44.0, When the server has called Server::set_trusted_proxies() with a non-empty trusted-proxy list, an attacker can send an HTTP request that includes an X-Forwarded-For header whose value parses to no valid IP segments. The code path then executes get_client_ip(), which calls front() on an empty std::vector—undefined behavior in C++. On typical implementations this manifests as abnormal process termination (denial of service). With Sanitizers enabled, you get an explicit runtime diagnostic. This vulnerability is fixed in 0.44.0.
Title cpp-httplib: Malicious `X-Forwarded-For` Under Trusted-Proxy Configuration Triggers Empty `vector::front()`, Leading to Undefined Behavior and Server Crash
Weaknesses CWE-476
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Yhirose Cpp-httplib
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-29T19:18:26.615Z

Reserved: 2026-05-14T19:12:32.755Z

Link: CVE-2026-46527

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-29T20:16:28.137

Modified: 2026-05-29T20:23:08.683

Link: CVE-2026-46527

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T21:30:06Z

Weaknesses