Description
Versions of the package yhirose/cpp-httplib before 0.12.4 are vulnerable to CRLF Injection when untrusted user input is used to set the content-type header in the HTTP .Patch, .Post, .Put and .Delete requests. This can lead to logical errors and other misbehaviors. **Note:** This issue is present due to an incomplete fix for [CVE-2020-11709](https://security.snyk.io/vuln/SNYK-UNMANAGED-YHIROSECPPHTTPLIB-2366507).
References (8)
Core 8
Core References
Third Party Advisory
https://gist.github.com/dellalibera/094aece17a86069a7d27f93c8aba2280
Third Party Advisory
https://security.snyk.io/vuln/SNYK-UNMANAGED-YHIROSECPPHTTPLIB-5591194
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/2RY6PKBU73I45L6YWNYCUK2XBEXEFX7L/
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/JY2E7EIRWQMKH6GY4OZOWWBZBY3Q7CGS/
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/NYODHZECXYFC2BNODZPZXZAXOKGMCYAP/
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/U6MO4FSKYNSAJVUXYP7LRY7ARUIGKBFL/
Scores
CVSS v3
7.5
EPSS
0.0114
EPSS Percentile
62.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-93
CWE-74
CWE-77
Status
published
Products (1)
cpp-httplib_project/cpp-httplib
< 0.12.4
Published
May 30, 2023
Tracked Since
Feb 18, 2026