Severity by source
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
Lifecycle Timeline
6DescriptionGitHub Advisory
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.37.2, when a cpp-httplib client is configured with a proxy and set_follow_location(true), any HTTPS redirect it follows will have TLS certificate and hostname verification silently disabled on the new connection. The client will accept any certificate presented by the redirect target - expired, self-signed, or forged - without raising an error or notifying the application. A network attacker in a position to return a redirect response can fully intercept the follow-up HTTPS connection, including any credentials or session tokens in flight. This vulnerability is fixed in 0.37.2.
AnalysisAI
cpp-httplib versions before 0.37.2 silently disable TLS certificate validation when following HTTPS redirects through a proxy, allowing attackers to intercept encrypted connections without detection. This affects any application using cpp-httplib as an HTTP client with proxy and redirect following enabled. No active exploitation (not in KEV) or public POC has been reported, with low EPSS probability indicating minimal current threat activity.
Technical ContextAI
cpp-httplib is a lightweight, header-only C++11 HTTP/HTTPS library (CPE: cpe:2.3:a:yhirose:cpp-httplib:*:*:*:*:*:*:*:*). The vulnerability stems from improper certificate validation (CWE-295) when the client is configured with both a proxy server and set_follow_location(true). During HTTPS redirects, the library fails to maintain TLS security checks on the redirected connection, accepting any certificate including expired, self-signed, or attacker-controlled certificates without warning.
RemediationAI
Upgrade to cpp-httplib version 0.37.2 or later, which fixes the certificate validation issue. For applications unable to upgrade immediately, disable either proxy usage or set_follow_location(false) to prevent the vulnerable code path. Review the vendor advisory at https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-c3h8-fqq4-xm4g for detailed patch information.
More in Cpp Httplib
View allcpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.27.0, a vulnerability allow
CVE-2025-53628 is a memory exhaustion vulnerability in cpp-httplib versions prior to 0.20.1 that allows unauthenticated
cpp-httplib is a C++ header-only HTTP/HTTPS server and client library. Rated high severity (CVSS 7.5), this vulnerabilit
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. In version 0.21.0, when many http head
CVE-2025-53629 is a Denial of Service vulnerability in cpp-httplib versions prior to 0.23.0 that allows unauthenticated
cpp-httplib versions prior to 0.30.1 are vulnerable to denial of service attacks due to insufficient validation of decom
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. [CVSS 7.5 HIGH]
Cpp-Httplib versions up to 0.30.0 contains a vulnerability that allows attackers to add extra headers, modify request bo
cpp-httplib through 0.5.8 does not filter \r\n in parameters passed into the set_redirect and set_header functions, whic
Remote denial of service in cpp-httplib prior to version 0.37.0 allows unauthenticated attackers to crash server process
A security vulnerability in cpp-httplib (CVSS 5.3) that allows attacker-controlled http headers. Risk factors: public Po
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. [CVSS 5.3 MEDIUM]
Same weakness CWE-295 – Improper Certificate Validation
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12137