Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-28434 is an information disclosure vulnerability in the cpp-httplib library versions up to 0.34.0. When a request handler throws a C++ exception and the application has not registered a custom exception handler via set_exception_handler(), the library's default handler catches the exception and inserts the exception's message (e.what()) directly into an HTTP response header named EXCEPTION_WHAT."}, {'type': 'paragraph', 'content': 'This header is sent to the client without any authentication or special configuration, exposing potentially sensitive internal information such as file paths, configuration keys, class names, database identifiers, and even secret keys embedded in exception messages.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the default behavior is enabled by default and developers unaware of the need to opt-in to set_exception_handler() will ship servers that leak internal exception messages to any client.'}, {'type': 'paragraph', 'content': 'This issue was fixed in version 0.35.0 by removing the code that added the EXCEPTION_WHAT header to HTTP responses.'}] [1, 2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to information disclosure of internal implementation details to any unauthenticated HTTP client.

• Exposure of sensitive information such as file paths, configuration files, container sizes, class names, database connection strings, and potentially secret keys.
• Attackers can remotely exploit this vulnerability without any privileges or user interaction.

Such information leakage can aid attackers in further attacks by revealing internal server details and secrets.

The CVSS v3 base score is 5.3 (Moderate), but if secrets are leaked, the confidentiality impact rises to High with a score of 7.5.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by sending HTTP requests to the affected cpp-httplib server and inspecting the HTTP response headers for the presence of the header named EXCEPTION_WHAT.

If the server responds with an EXCEPTION_WHAT header containing exception messages, it indicates the vulnerability is present.

Tools like curl or Burp Suite can be used to detect this by making requests that trigger exceptions on the server.

• Example curl command to detect the vulnerability: curl -i http://target-server/path-that-triggers-exception
• Check the HTTP response headers for EXCEPTION_WHAT, e.g., by piping curl output to grep: curl -i http://target-server/path | grep EXCEPTION_WHAT

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'To mitigate this vulnerability, immediately update the cpp-httplib library to version 0.35.0 or later where the issue is fixed.'}, {'type': 'paragraph', 'content': 'If updating is not immediately possible, register a custom exception handler using the set_exception_handler() function to prevent exception messages from being leaked in HTTP headers.'}, {'type': 'paragraph', 'content': "The custom exception handler should catch exceptions and respond with generic error messages without including the exception's e.what() message."}, {'type': 'paragraph', 'content': 'Additionally, review server routes to avoid throwing uncaught exceptions that could trigger this behavior.'}] [2, 1]

Useful 0 Not Useful 0