Executive Summary

CVE-2026-21428 is a CRLF (Carriage Return Line Feed) injection vulnerability in the cpp-httplib library versions prior to 0.30.0. The vulnerability occurs because the `write_headers` function does not validate or sanitize user-supplied HTTP header values, allowing attackers to inject CR and LF characters. This enables attackers to prematurely terminate HTTP header lines and insert additional headers or manipulate the HTTP request body. This flaw can be exploited to perform HTTP/1.1 request splitting, which can lead to server-side request forgery (SSRF) attacks when combined with servers supporting HTTP/1.1 pipelining, such as Spring Boot or Python Twisted. The vulnerability allows attackers to add extra headers, modify request bodies unexpectedly, and trigger SSRF attacks. [2, 3]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow attackers to inject arbitrary HTTP headers and manipulate the request body, which can lead to server-side request forgery (SSRF) attacks. SSRF attacks can cause the server to make unintended requests to internal or external systems, potentially exposing sensitive information or enabling further attacks. The vulnerability can cause unexpected server behavior by processing multiple HTTP requests from a single crafted request. However, the overall severity is considered low with no direct impact on confidentiality, integrity, or availability, and no privileges or user interaction required. [2]

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves monitoring HTTP headers for CRLF injection attempts, such as headers containing unexpected carriage return (\r) and line feed (\n) characters that break header lines and inject additional headers or requests. A practical approach is to capture and inspect HTTP traffic using tools like Wireshark or tcpdump to look for suspicious header values containing CRLF sequences. Additionally, testing with crafted HTTP requests that include CRLF sequences in header values can help identify vulnerable cpp-httplib versions. For example, using curl or netcat to send headers with embedded \r\n sequences and observing if the server processes multiple requests or unexpected headers can indicate vulnerability. Specific commands might include: 1) Using tcpdump to capture HTTP traffic: `tcpdump -i <interface> -A 'tcp port 80 or tcp port 443'` 2) Using curl to send a crafted header (note: some clients may sanitize input, so raw socket tools like netcat or custom scripts may be needed): `curl -v -H $'X-Test: test\r\nInjected-Header: injected' http://target` 3) Using netcat or a custom script to send raw HTTP requests with CRLF injection payloads to test server behavior. These methods help detect if the server improperly processes injected headers or multiple requests due to the vulnerability. [2, 3]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the cpp-httplib library to version 0.30.0 or later, where the vulnerability is fixed by adding strict validation of HTTP header names and values to prevent CRLF injection. If upgrading is not immediately possible, implement input validation to sanitize or reject headers containing CR or LF characters before they are processed or sent. Additionally, avoid using vulnerable versions of cpp-httplib in environments where HTTP/1.1 pipelining is enabled, as this increases the risk of SSRF exploitation. Monitoring and blocking suspicious HTTP requests with injected CRLF sequences at the network perimeter or application firewall can also help mitigate exploitation attempts until the patch is applied. [1, 2, 3]

Useful 0 Not Useful 0