CVE-2026-45372
HTTP Header Injection in cpp-httplib
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cpp-httplib | cpp-httplib | to 0.44.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-444 | The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. |
| CWE-93 | The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The CVE-2026-45372 vulnerability in cpp-httplib involves improper handling of percent-encoded sequences in HTTP header values on the server side. Specifically, the library decodes percent-encoded characters (like %0D%0A representing carriage return and line feed) in all header values except Location and Referer without re-validating the decoded content. This allows encoded CRLF sequences to be expanded into literal control characters inside header values, which violates HTTP standards (RFC 9110 Β§5.5).
Because the validity check is done before decoding, encoded malicious sequences pass the check and then get decoded, enabling attackers to inject additional HTTP headers or manipulate requests and responses.
This vulnerability enables CRLF injection attacks such as HTTP response splitting, log injection, and request smuggling, especially when the library is used as a forward proxy or when decoded headers are reflected or processed downstream.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP requests for header values containing percent-encoded CRLF sequences such as %0D%0A, which decode into carriage return and line feed characters allowing header injection.
You can use network inspection tools or command-line utilities like curl or tcpdump to capture and analyze HTTP headers for suspicious encoded sequences.
- Use tcpdump to capture HTTP traffic: tcpdump -A -s 0 'tcp port 80 or tcp port 443'
- Use curl to send test requests with encoded CRLF sequences in headers: curl -H 'X-Custom: a%0D%0AInjected: b' http://target
- Inspect logs or proxy outputs for unexpected header splitting or injection patterns.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade cpp-httplib to version 0.44.0 or later, where the vulnerability is fixed by removing percent-decoding from header parsing or re-validating decoded values to reject control characters.
If upgrading is not immediately possible, consider implementing input validation or filtering to block headers containing percent-encoded CRLF sequences before they reach the vulnerable library.
Additionally, monitor and restrict usage of the vulnerable library as a forward proxy to reduce risk of request smuggling and response splitting.
How can this vulnerability impact me? :
This vulnerability can have serious security impacts including allowing attackers to perform HTTP response splitting, which can lead to web cache poisoning, cross-site scripting (XSS), and other injection attacks.
It can also enable log injection, corrupting server logs and potentially hiding malicious activity.
Request smuggling attacks are possible, which can bypass security controls, interfere with request routing, or cause unauthorized access.
Additionally, because the decoding affects headers like cookies and X-Forwarded-For, it can cause misinterpretation of requests by the application compared to security devices like WAFs or proxies, increasing the risk of undetected attacks.