Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.9
cpp-httplib: Malicious headers can cause server crashes
DEBIAN-CVE-2026-45372
Summary
A security issue was found in the cpp-httplib library, which is used for creating HTTP servers. This issue can allow an attacker to crash the server by sending a malicious HTTP request. To fix this, update to version 0.44.0 or later.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Debian:12 | debian | cpp-httplib | All versions |
| Debian:13 | debian | cpp-httplib | All versions |
| Debian:14 | debian | cpp-httplib | All versions |
Original title
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.44.0, when cpp-httplib's server parses an incoming request, it applies percent-decoding to every header ...
Original description
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.44.0, when cpp-httplib's server parses an incoming request, it applies percent-decoding to every header value except Location and Referer. The validity check (is_field_value) is run before decoding, so encoded %0D%0A passes the check and is then expanded to a literal \r\n byte pair inside the stored header value. This vulnerability is fixed in 0.44.0.
osv CVSS3.1
9.9
- https://security-tracker.debian.org/tracker/CVE-2026-45372 Vendor Advisory
Published: 29 May 2026 · Updated: 30 May 2026 · First seen: 30 May 2026