CVE-2026-46527
Denial of Service in cpp-httplib via X-Forwarded-For Header
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cpp-httplib | cpp-httplib | to 0.44.0 (exc) |
| yhirose | cpp-httplib | to 0.44.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-46527 is a vulnerability in the cpp-httplib library versions prior to 0.44.0. It occurs when a server uses the set_trusted_proxies() function with a non-empty list of trusted proxies. An attacker can send an HTTP request with a specially crafted X-Forwarded-For header that contains no valid IP segments, such as an empty string or only commas or whitespace.
This causes the get_client_ip() function to process an empty vector of IP addresses and call the front() method on it, which is undefined behavior in C++. This typically leads to abnormal process termination or a server crash, resulting in a denial of service.
The vulnerability arises because the code assumes the vector will always have at least one IP address but does not check for an empty vector before calling front(). It only affects deployments that configure trusted proxies.
How can this vulnerability impact me? :
This vulnerability can cause your server to crash or terminate abnormally when it processes a malicious HTTP request with a crafted X-Forwarded-For header. This results in a denial of service (DoS), making your service unavailable to legitimate users.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for abnormal process termination or crashes in servers using cpp-httplib versions prior to 0.44.0 when configured with non-empty trusted proxy lists.
Specifically, detection involves checking if the server crashes or terminates abnormally after receiving HTTP requests with malformed X-Forwarded-For headers containing no valid IP segments, such as empty strings, comma-only values, or whitespace-only strings.
If Sanitizers are enabled during runtime, explicit diagnostics or runtime errors related to undefined behavior in C++ (such as calling front() on an empty vector) can help identify the issue.
- Send test HTTP requests with X-Forwarded-For headers set to values like "", ",", or " " to see if the server crashes.
- Use network monitoring tools (e.g., tcpdump, Wireshark) to capture and analyze incoming HTTP requests for suspicious X-Forwarded-For headers.
- Check server logs for unexpected crashes or termination events correlated with requests containing malformed X-Forwarded-For headers.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the cpp-httplib library to version 0.44.0 or later, where this vulnerability is fixed.
If upgrading is not immediately possible, avoid configuring the server with a non-empty trusted proxy list using Server::set_trusted_proxies(), as the vulnerability only affects deployments with trusted proxies configured.
Additionally, implement input validation to ensure that the X-Forwarded-For header contains valid IP segments before processing.
Consider enabling runtime sanitizers during development or testing to detect undefined behavior early.