{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21428", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-12-29T03:00:29.274Z", "datePublished": "2026-01-01T17:54:43.959Z", "dateUpdated": "2026-01-02T18:50:20.380Z"}, "containers": {"cna": {"title": "cpp-httplib has CRLF injection in http headers", "problemTypes": [{"descriptions": [{"cweId": "CWE-93", "lang": "en", "description": "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-wpc6-j37r-jcx7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-wpc6-j37r-jcx7"}, {"name": "https://github.com/yhirose/cpp-httplib/commit/98048a033a532ff22320ce1d11789f8d5710dfcd", "tags": ["x_refsource_MISC"], "url": "https://github.com/yhirose/cpp-httplib/commit/98048a033a532ff22320ce1d11789f8d5710dfcd"}, {"name": "https://github.com/yhirose/cpp-httplib/releases/tag/v0.30.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/yhirose/cpp-httplib/releases/tag/v0.30.0"}], "affected": [{"vendor": "yhirose", "product": "cpp-httplib", "versions": [{"version": "< 0.30.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-01T17:54:43.959Z"}, "descriptions": [{"lang": "en", "value": "cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.0, the ``write_headers`` function does not check for CR & LF characters in user supplied headers, allowing untrusted header value to escape header lines.\nThis vulnerability allows attackers to add extra headers, modify request body unexpectedly & trigger an SSRF attack. When combined with a server that supports http1.1 pipelining (springboot, python twisted etc), this can be used for server side request forgery (SSRF). Version 0.30.0 fixes this issue."}], "source": {"advisory": "GHSA-wpc6-j37r-jcx7", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-02T18:50:07.704892Z", "id": "CVE-2026-21428", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-02T18:50:20.380Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21428", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-02T18:50:07.704892Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-02T18:50:14.604Z"}}], "cna": {"title": "cpp-httplib has CRLF injection in http headers", "source": {"advisory": "GHSA-wpc6-j37r-jcx7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "yhirose", "product": "cpp-httplib", "versions": [{"status": "affected", "version": "< 0.30.0"}]}], "references": [{"url": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-wpc6-j37r-jcx7", "name": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-wpc6-j37r-jcx7", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/yhirose/cpp-httplib/commit/98048a033a532ff22320ce1d11789f8d5710dfcd", "name": "https://github.com/yhirose/cpp-httplib/commit/98048a033a532ff22320ce1d11789f8d5710dfcd", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/yhirose/cpp-httplib/releases/tag/v0.30.0", "name": "https://github.com/yhirose/cpp-httplib/releases/tag/v0.30.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.0, the ``write_headers`` function does not check for CR & LF characters in user supplied headers, allowing untrusted header value to escape header lines.\nThis vulnerability allows attackers to add extra headers, modify request body unexpectedly & trigger an SSRF attack. When combined with a server that supports http1.1 pipelining (springboot, python twisted etc), this can be used for server side request forgery (SSRF). Version 0.30.0 fixes this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-93", "description": "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-01T17:54:43.959Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21428", "state": "PUBLISHED", "dateUpdated": "2026-01-02T18:50:20.380Z", "dateReserved": "2025-12-29T03:00:29.274Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-01T17:54:43.959Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:yhirose:cpp-httplib:*:*:*:*:*:*:*:*", "matchCriteriaId": "884C94CD-B632-4081-9141-BB0FBFE2516E", "versionEndExcluding": "0.30.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.0, the ``write_headers`` function does not check for CR & LF characters in user supplied headers, allowing untrusted header value to escape header lines.\nThis vulnerability allows attackers to add extra headers, modify request body unexpectedly & trigger an SSRF attack. When combined with a server that supports http1.1 pipelining (springboot, python twisted etc), this can be used for server side request forgery (SSRF). Version 0.30.0 fixes this issue."}], "id": "CVE-2026-21428", "lastModified": "2026-01-06T18:20:44.533", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-01T18:15:41.057", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/yhirose/cpp-httplib/commit/98048a033a532ff22320ce1d11789f8d5710dfcd"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/yhirose/cpp-httplib/releases/tag/v0.30.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-wpc6-j37r-jcx7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-93"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "cpp-httplib: cpp-httplib: Server-Side Request Forgery via header injection", "id": "2426666", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2426666"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", "status": "draft"}, "cwe": "CWE-93", "details": ["No description is available for this CVE."], "name": "CVE-2026-21428", "public_date": "2026-01-01T17:54:43Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-21428\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-21428\nhttps://github.com/yhirose/cpp-httplib/commit/98048a033a532ff22320ce1d11789f8d5710dfcd\nhttps://github.com/yhirose/cpp-httplib/releases/tag/v0.30.0\nhttps://github.com/yhirose/cpp-httplib/security/advisories/GHSA-wpc6-j37r-jcx7"], "statement": "This vulnerability is rated IMPORTANT as it allows remote attackers to perform Server-Side Request Forgery attacks to locations outside the scope of cpp-httplib by injecting carriage return and line feed characters into user-supplied headers. This affects applications utilizing the `cpp-httplib` library in Red Hat Community Projects such as Fedora and EPEL, where the library is used to process untrusted HTTP headers.", "threat_severity": "Important"}

{"analysis": {"en": {"generated_at": "2026-04-18T19:23:44.631560+00:00", "value": {"mitigation_remediation": ["Upgrade cpp-httplib to version\u202f0.30.0 or later.", "Validate or strip CR and LF characters from any user\u2011supplied header values before calling write_headers.", "Disable HTTP/1.1 pipelining in the server or application framework until the library can be patched."], "summary": {"action": "Update Now", "impact": "Server\u2011Side Request Forgery via HTTP header injection"}, "threat_synthesis": {"affected_systems": "yhirose\u2019s cpp\u2011httplib is affected when used in any application prior to version 0.30.0. The library is distributed as a single header file, so all projects that include it without updating to the patched release are susceptible. Versions before 0.30.0 lack header validation in write_headers, which is required to address the injection vulnerability.", "description_and_impact": "The cpp-httplib library builds HTTP and HTTPS requests, and the bug originates from its write_headers function, which fails to sanitize carriage\u2011return and line\u2011feed characters in header values supplied by external actors. This flaw allows a malicious user to inject arbitrary header lines or fragment the request body, effectively manipulating the request payload. The weakness is classified as CWE\u201193 and can enable server\u2011side request forgery, as well as unintended data leakage or service disruption when the library is used in environments that support HTTP/1.1 pipelining. Based on the CVE description, it is inferred that attackers can supply malicious header values over a network interface to exploit the library.", "risk_and_exploitability": "The severity score of 7.7 indicates a high impact, and the EPSS score of less than 1\u202f% suggests that, as of the last assessment, exploitation is not widespread. The flaw appears to be remote; although the CVE description does not explicitly state the attack vector, it is inferred that an attacker can supply malicious header values over a network interface that the target application processes. Because the library is widely used in small to medium\u2011sized services, the potential for harm exists, but the current low EPSS and lack of a KEV listing mean that immediate exploitation is unlikely. Nonetheless, the risk remains significant for deployments that have not yet applied the 0.30.0 fix or that operate in environments supporting HTTP/1.1 pipelining, which can magnify the impact."}}}}, "created": "2026-01-05T10:14:45.053663+00:00", "updated": "2026-04-18T19:30:08.965659+00:00", "vendors": ["yhirose", "yhirose$PRODUCT$cpp-httplib"]}