Executive Summary

CVE-2026-46527 is a vulnerability in the cpp-httplib library versions prior to 0.44.0. It occurs when a server uses the set_trusted_proxies() function with a non-empty list of trusted proxies. An attacker can send an HTTP request with a specially crafted X-Forwarded-For header that contains no valid IP segments, such as an empty string or only commas or whitespace.

This causes the get_client_ip() function to process an empty vector of IP addresses and call the front() method on it, which is undefined behavior in C++. This typically leads to abnormal process termination or a server crash, resulting in a denial of service.

The vulnerability arises because the code assumes the vector will always have at least one IP address but does not check for an empty vector before calling front(). It only affects deployments that configure trusted proxies.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause your server to crash or terminate abnormally when it processes a malicious HTTP request with a crafted X-Forwarded-For header. This results in a denial of service (DoS), making your service unavailable to legitimate users.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for abnormal process termination or crashes in servers using cpp-httplib versions prior to 0.44.0 when configured with non-empty trusted proxy lists.

Specifically, detection involves checking if the server crashes or terminates abnormally after receiving HTTP requests with malformed X-Forwarded-For headers containing no valid IP segments, such as empty strings, comma-only values, or whitespace-only strings.

If Sanitizers are enabled during runtime, explicit diagnostics or runtime errors related to undefined behavior in C++ (such as calling front() on an empty vector) can help identify the issue.

• Send test HTTP requests with X-Forwarded-For headers set to values like "", ",", or " " to see if the server crashes.
• Use network monitoring tools (e.g., tcpdump, Wireshark) to capture and analyze incoming HTTP requests for suspicious X-Forwarded-For headers.
• Check server logs for unexpected crashes or termination events correlated with requests containing malformed X-Forwarded-For headers.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the cpp-httplib library to version 0.44.0 or later, where this vulnerability is fixed.

If upgrading is not immediately possible, avoid configuring the server with a non-empty trusted proxy list using Server::set_trusted_proxies(), as the vulnerability only affects deployments with trusted proxies configured.

Additionally, implement input validation to ensure that the X-Forwarded-For header contains valid IP segments before processing.

Consider enabling runtime sanitizers during development or testing to detect undefined behavior early.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0