CVE-2026-45372
Modified Modified - Updated After Analysis
HTTP Header Injection in cpp-httplib

Publication date: 2026-05-29

Last updated on: 2026-06-01

Assigner: GitHub, Inc.

Description
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.44.0, when cpp-httplib's server parses an incoming request, it applies percent-decoding to every header value except Location and Referer. The validity check (is_field_value) is run before decoding, so encoded %0D%0A passes the check and is then expanded to a literal \r\n byte pair inside the stored header value. This vulnerability is fixed in 0.44.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-06-01
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-45372
EUVD
EUVD-2026-33427
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
yhirose cpp-httplib to 0.44.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-444 The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
CWE-93 The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by monitoring HTTP requests for header values containing percent-encoded CRLF sequences such as %0D%0A, which decode into carriage return and line feed characters allowing header injection.

You can use network inspection tools or command-line utilities like curl or tcpdump to capture and analyze HTTP headers for suspicious encoded sequences.

  • Use tcpdump to capture HTTP traffic: tcpdump -A -s 0 'tcp port 80 or tcp port 443'
  • Use curl to send test requests with encoded CRLF sequences in headers: curl -H 'X-Custom: a%0D%0AInjected: b' http://target
  • Inspect logs or proxy outputs for unexpected header splitting or injection patterns.
Mitigation Strategies

The primary mitigation is to upgrade cpp-httplib to version 0.44.0 or later, where the vulnerability is fixed by removing percent-decoding from header parsing or re-validating decoded values to reject control characters.

If upgrading is not immediately possible, consider implementing input validation or filtering to block headers containing percent-encoded CRLF sequences before they reach the vulnerable library.

Additionally, monitor and restrict usage of the vulnerable library as a forward proxy to reduce risk of request smuggling and response splitting.

Compliance Impact

The vulnerability in cpp-httplib allows CRLF injection attacks through improper percent-decoding of HTTP header values, which can lead to HTTP response splitting, log injection, and request smuggling. Such attacks can result in unauthorized data manipulation, exposure, or tampering.

These security issues can impact compliance with standards and regulations like GDPR and HIPAA, which require protection of data integrity, confidentiality, and secure handling of personal and sensitive information. Exploitation of this vulnerability could lead to breaches of these requirements by enabling attackers to manipulate HTTP headers and potentially access or alter protected data.

Therefore, failure to patch this vulnerability may result in non-compliance with these regulations due to increased risk of data breaches and insufficient protection against injection attacks.

Executive Summary

The CVE-2026-45372 vulnerability in cpp-httplib involves improper handling of percent-encoded sequences in HTTP header values on the server side. Specifically, the library decodes percent-encoded characters (like %0D%0A representing carriage return and line feed) in all header values except Location and Referer without re-validating the decoded content. This allows encoded CRLF sequences to be expanded into literal control characters inside header values, which violates HTTP standards (RFC 9110 Β§5.5).

Because the validity check is done before decoding, encoded malicious sequences pass the check and then get decoded, enabling attackers to inject additional HTTP headers or manipulate requests and responses.

This vulnerability enables CRLF injection attacks such as HTTP response splitting, log injection, and request smuggling, especially when the library is used as a forward proxy or when decoded headers are reflected or processed downstream.

Impact Analysis

This vulnerability can have serious security impacts including allowing attackers to perform HTTP response splitting, which can lead to web cache poisoning, cross-site scripting (XSS), and other injection attacks.

It can also enable log injection, corrupting server logs and potentially hiding malicious activity.

Request smuggling attacks are possible, which can bypass security controls, interfere with request routing, or cause unauthorized access.

Additionally, because the decoding affects headers like cookies and X-Forwarded-For, it can cause misinterpretation of requests by the application compared to security devices like WAFs or proxies, increasing the risk of undetected attacks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45372. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart