CVE-2026-21428
HIGHcpp-httplib < 0.30.0 - CRLF Injection via User-Supplied Headers
Title source: llmDescription
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.0, the ``write_headers`` function does not check for CR & LF characters in user supplied headers, allowing untrusted header value to escape header lines. This vulnerability allows attackers to add extra headers, modify request body unexpectedly & trigger an SSRF attack. When combined with a server that supports http1.1 pipelining (springboot, python twisted etc), this can be used for server side request forgery (SSRF). Version 0.30.0 fixes this issue.
References (3)
Core 3
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-wpc6-j37r-jcx7
Patch x_refsource_misc
https://github.com/yhirose/cpp-httplib/commit/98048a033a532ff22320ce1d11789f8d5710dfcd
Product, Release Notes x_refsource_misc
https://github.com/yhirose/cpp-httplib/releases/tag/v0.30.0
Scores
CVSS v3
7.5
EPSS
0.0037
EPSS Percentile
28.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-93
Status
published
Products (1)
yhirose/cpp-httplib
< 0.30.0
Published
Jan 01, 2026
Tracked Since
Feb 18, 2026