CVE-2025-66570
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-05

Last updated on: 2025-12-10

Assigner: GitHub, Inc.

Description
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.27.0, a vulnerability allows attacker-controlled HTTP headers to influence server-visible metadata, logging, and authorization decisions. An attacker can inject headers named REMOTE_ADDR, REMOTE_PORT, LOCAL_ADDR, LOCAL_PORT that are parsed into the request header multimap via read_headers() in httplib.h (headers.emplace), then the server later appends its own internal metadata using the same header names in Server::process_request without erasing duplicates. Because Request::get_header_value returns the first entry for a header key (id == 0) and the client-supplied headers are parsed before server-inserted headers, downstream code that uses these header names may inadvertently use attacker-controlled values. Affected files/locations: cpp-httplib/httplib.h (read_headers, Server::process_request, Request::get_header_value, get_header_value_u64) and cpp-httplib/docker/main.cc (get_client_ip, nginx_access_logger, nginx_error_logger). Attack surface: attacker-controlled HTTP headers in incoming requests flow into the Request.headers multimap and into logging code that reads forwarded headers, enabling IP spoofing, log poisoning, and authorization bypass via header shadowing. This vulnerability is fixed in 0.27.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-05
Last Modified
2025-12-10
Generated
2026-06-16
AI Q&A
2025-12-10
EPSS Evaluated
2026-06-15
NVD
CVE-2025-66570
EUVD
EUVD-2025-201455
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
yhirose cpp-httplib to 0.27.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-807 The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
CWE-290 This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows attackers to spoof IP addresses, bypass authorization, and poison logs by injecting attacker-controlled HTTP headers that override internal metadata. Such unauthorized access and log manipulation can lead to breaches of confidentiality and integrity, which are critical concerns under compliance standards like GDPR and HIPAA. Specifically, unauthorized access to sensitive data or systems and tampering with audit logs can violate data protection and security requirements mandated by these regulations. Therefore, if exploited, this vulnerability could result in non-compliance with standards that require strict access controls, accurate logging, and protection of personal or sensitive information. [1]

Executive Summary

This vulnerability in cpp-httplib prior to version 0.27.0 allows an attacker to inject specially named HTTP headers (REMOTE_ADDR, REMOTE_PORT, LOCAL_ADDR, LOCAL_PORT) into incoming requests. These attacker-controlled headers are parsed and stored alongside server-generated metadata without removing duplicates. Because the library returns the first occurrence of these headers, downstream code may use the attacker-supplied values instead of the correct server values. This can lead to IP spoofing, log poisoning, and authorization bypass through header shadowing.

Impact Analysis

The vulnerability can impact you by allowing attackers to spoof IP addresses, poison logs with false information, and bypass authorization mechanisms that rely on these headers. This can lead to unauthorized access, inaccurate logging for auditing or forensic purposes, and potential security breaches.

Mitigation Strategies

Upgrade cpp-httplib to version 0.27.0 or later, as this version contains the fix for the vulnerability.

Detection Guidance

This vulnerability can be detected by monitoring HTTP requests for suspicious or unexpected headers named REMOTE_ADDR, REMOTE_PORT, LOCAL_ADDR, and LOCAL_PORT, which should not normally be set by clients. You can use network capture tools like tcpdump or Wireshark to inspect incoming HTTP headers for these spoofed headers. For example, using tcpdump to capture HTTP traffic and grep for these headers: 1. Capture HTTP traffic on port 80 or 443 (if unencrypted): tcpdump -A -s 0 'tcp port 80' | grep -iE 'REMOTE_ADDR|REMOTE_PORT|LOCAL_ADDR|LOCAL_PORT' 2. If HTTPS is used, decrypting traffic or inspecting server logs for these headers may be necessary. Additionally, using curl commands to test if the server accepts and processes these headers can help detect vulnerability: curl -v -H 'REMOTE_ADDR: 1.2.3.4' -H 'REMOTE_PORT: 1234' http://yourserver/path If the server behaves differently or logs show these spoofed headers, it indicates vulnerability. After patching, these headers should be ignored or rejected. Monitoring logs for unexpected IP addresses or authorization bypass events can also help detect exploitation attempts. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66570. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart