How is CVE-2026-45372 exploited?

Network reachability (required): The attacker must reach the cpp-httplib server over the network; any exposed HTTP endpoint built on the library is in scope. Authentication (not-required): No credentials are needed; the injection happens during header parsing before any application-level auth runs. Victim interaction (not-required): The server processes the malicious request on its own; no user click or session is involved. Attack complexity (info): AC:L indicates the exploit is reliable and condition-free, requiring only a crafted header with percent-encoded CRLF bytes.

What is the impact of CVE-2026-45372?

Injects arbitrary headers and body content into HTTP responses, enabling response splitting and cache poisoning against downstream proxies and clients. Tampers with header values that the application or upstream services trust for routing, authentication, or logging decisions. Smuggles secondary requests through intermediaries that re-serialize the parsed headers, leading to request smuggling on shared infrastructure. Can disrupt the affected service by corrupting protocol state on persistent connections.

Back to search

CRITICALCVE-2026-45372Published 2026-05-29Modified 2026-05-29CNA GitHub_M

CVE-2026-45372: cpp-httplib: HTTP header value percent-decoding in server-side `parse_header` enables CRLF injection

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.44.0, when cpp-httplib's server parses an incoming request, it applies percent-decoding to every header value except Location and Referer. The validity check (is_field_value) is run before decoding, so encoded %0D%0A passes the check and is then expanded to a literal \r\n byte pair inside the stored header value. This vulnerability is fixed in 0.44.0.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A CRLF injection flaw in cpp-httplib (yhirose's C++11 header-only HTTP library) lets an unauthenticated network attacker smuggle line terminators into stored header values. The server runs its header validity check before percent-decoding, so encoded %0D%0A sequences slip past validation and then expand to literal \r\n inside header storage, enabling HTTP response splitting, header injection, and downstream request smuggling against any consumer of those headers. A patched-image rebuild at cpp-httplib 0.44.0 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the advisory is ingested from upstream feeds within minutes of publication and matched against cpp-httplib usage in customer registries and CI pipelines. Coverage extends to custom-built images that vendor cpp-httplib as a header-only dependency, which is the common integration pattern for this library.

Available

Triage

Triage scoring uses the published CVSS 9.9 critical rating, then re-weights against each customer's compliance policy (internet-facing services, regulated data classes, exposure of the embedded HTTP server). Findings are routed to the appropriate inbox inside each customer organization so server-side cpp-httplib usage is prioritized ahead of internal-only callers.

Available

Patch

A patched-image rebuild pinned to cpp-httplib 0.44.0 is available on HarborGuard for affected environments. For customers who opt into auto-remediation, the rebuild is produced, run through the configured regression suite, and a PR is opened against the affected workloads automatically.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the cpp-httplib server over the network; any exposed HTTP endpoint built on the library is in scope.
AuthenticationNot required
No credentials are needed; the injection happens during header parsing before any application-level auth runs.
Victim interactionNot required
The server processes the malicious request on its own; no user click or session is involved.
Attack complexityDetail
AC:L indicates the exploit is reliable and condition-free, requiring only a crafted header with percent-encoded CRLF bytes.

Blast Radius

Injects arbitrary headers and body content into HTTP responses, enabling response splitting and cache poisoning against downstream proxies and clients.
Tampers with header values that the application or upstream services trust for routing, authentication, or logging decisions.
Smuggles secondary requests through intermediaries that re-serialize the parsed headers, leading to request smuggling on shared infrastructure.
Can disrupt the affected service by corrupting protocol state on persistent connections.

How HarborGuard Handles This

Available on HarborGuard: a rebuilt image pinned to cpp-httplib 0.44.0, plus a regression run and a PR opened against affected workloads for environments with auto-remediation enabled. Median time from CVE publication to merged patch PR for critical-severity issues like this one is around 90 minutes in those environments. For customers whose compliance policy blocks auto-remediation, the same rebuild is staged for manual approval, and HarborGuard surfaces compensating controls (front the service with a reverse proxy that re-validates header bytes, restrict header-value character sets at the edge, and isolate the cpp-httplib listener from untrusted networks) until the upgrade lands.

See how HarborGuard automates this

CVSS v3.1: 9.9
Severity: CRITICAL
Fixed in: —
Affected Products: 1

Affected packages

yhirose / cpp-httplib
< 0.44.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L

References

https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-xjxg-64p4-vj4m