CVE-2026-21428

EUVD-2026-0026

01.01.2026, 18:15

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.0, the ``write_headers`` function does not check for CR & LF characters in user supplied headers, allowing untrusted header value to escape header lines.
This vulnerability allows attackers to add extra headers, modify request body unexpectedly & trigger an SSRF attack. When combined with a server that supports http1.1 pipelining (springboot, python twisted etc), this can be used for server side request forgery (SSRF). Version 0.30.0 fixes this issue.

CRLF Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 3%

Affected Products (NVD)

Vendor	Product	Version
yhirose	cpp-httplib	𝑥 < 0.30.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

cpp-httplib

bookworm	vulnerable
forky	vulnerable
sid	vulnerable
trixie	vulnerable

Known Exploits!

https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-wpc6-j37r-jcx7

Common Weakness Enumeration

CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
The software uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

References

https://github.com/yhirose/cpp-httplib/commit/98048a033a532ff22320ce1d11789f8d5710dfcd

https://github.com/yhirose/cpp-httplib/releases/tag/v0.30.0

https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-wpc6-j37r-jcx7