CVE-2026-21428
HIGHYhirose Cpp-httplib < 0.30.0 - SSRF
Title source: ruleDescription
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.0, the ``write_headers`` function does not check for CR & LF characters in user supplied headers, allowing untrusted header value to escape header lines. This vulnerability allows attackers to add extra headers, modify request body unexpectedly & trigger an SSRF attack. When combined with a server that supports http1.1 pipelining (springboot, python twisted etc), this can be used for server side request forgery (SSRF). Version 0.30.0 fixes this issue.
Scores
CVSS v3
7.5
EPSS
0.0002
EPSS Percentile
3.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Classification
CWE
CWE-93
Status
published
Affected Products (1)
yhirose/cpp-httplib
< 0.30.0
Timeline
Published
Jan 01, 2026
Tracked Since
Feb 18, 2026