Skip to main content

Cpp Httplib CVE-2026-32627

| EUVDEUVD-2026-12137 HIGH
Improper Certificate Validation (CWE-295)
2026-03-13 GitHub_M
8.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
SUSE
HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:22 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
0.37.2
EUVD ID Assigned
Mar 13, 2026 - 21:01 euvd
EUVD-2026-12137
Analysis Generated
Mar 13, 2026 - 21:01 vuln.today
CVE Published
Mar 13, 2026 - 20:48 nvd
HIGH 8.7

DescriptionGitHub Advisory

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.37.2, when a cpp-httplib client is configured with a proxy and set_follow_location(true), any HTTPS redirect it follows will have TLS certificate and hostname verification silently disabled on the new connection. The client will accept any certificate presented by the redirect target - expired, self-signed, or forged - without raising an error or notifying the application. A network attacker in a position to return a redirect response can fully intercept the follow-up HTTPS connection, including any credentials or session tokens in flight. This vulnerability is fixed in 0.37.2.

AnalysisAI

cpp-httplib versions before 0.37.2 silently disable TLS certificate validation when following HTTPS redirects through a proxy, allowing attackers to intercept encrypted connections without detection. This affects any application using cpp-httplib as an HTTP client with proxy and redirect following enabled. No active exploitation (not in KEV) or public POC has been reported, with low EPSS probability indicating minimal current threat activity.

Technical ContextAI

cpp-httplib is a lightweight, header-only C++11 HTTP/HTTPS library (CPE: cpe:2.3:a:yhirose:cpp-httplib:*:*:*:*:*:*:*:*). The vulnerability stems from improper certificate validation (CWE-295) when the client is configured with both a proxy server and set_follow_location(true). During HTTPS redirects, the library fails to maintain TLS security checks on the redirected connection, accepting any certificate including expired, self-signed, or attacker-controlled certificates without warning.

RemediationAI

Upgrade to cpp-httplib version 0.37.2 or later, which fixes the certificate validation issue. For applications unable to upgrade immediately, disable either proxy usage or set_follow_location(false) to prevent the vulnerable code path. Review the vendor advisory at https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-c3h8-fqq4-xm4g for detailed patch information.

CVE-2025-66570 CRITICAL POC
10.0 Dec 05

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.27.0, a vulnerability allow

CVE-2025-53628 HIGH POC
8.8 Jul 10

CVE-2025-53628 is a memory exhaustion vulnerability in cpp-httplib versions prior to 0.20.1 that allows unauthenticated

CVE-2025-46728 HIGH POC
7.5 May 06

cpp-httplib is a C++ header-only HTTP/HTTPS server and client library. Rated high severity (CVSS 7.5), this vulnerabilit

CVE-2025-52887 HIGH POC
7.5 Jun 26

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. In version 0.21.0, when many http head

CVE-2025-53629 HIGH POC
7.5 Jul 10

CVE-2025-53629 is a Denial of Service vulnerability in cpp-httplib versions prior to 0.23.0 that allows unauthenticated

CVE-2026-22776 HIGH POC
7.5 Jan 12

cpp-httplib versions prior to 0.30.1 are vulnerable to denial of service attacks due to insufficient validation of decom

CVE-2026-28435 HIGH POC
7.5 Mar 04

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. [CVSS 7.5 HIGH]

CVE-2026-21428 HIGH POC
7.5 Jan 01

Cpp-Httplib versions up to 0.30.0 contains a vulnerability that allows attackers to add extra headers, modify request bo

CVE-2020-11709 HIGH POC
7.5 Apr 12

cpp-httplib through 0.5.8 does not filter \r\n in parameters passed into the set_redirect and set_header functions, whic

CVE-2026-29076 MEDIUM POC
5.9 Mar 07

Remote denial of service in cpp-httplib prior to version 0.37.0 allows unauthenticated attackers to crash server process

CVE-2025-66577 MEDIUM POC
5.3 Dec 05

A security vulnerability in cpp-httplib (CVSS 5.3) that allows attacker-controlled http headers. Risk factors: public Po

CVE-2026-28434 MEDIUM POC
5.3 Mar 04

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. [CVSS 5.3 MEDIUM]

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Server 16.0 Fixed
SUSE Linux Enterprise Server 16.1 Fixed
SUSE Linux Enterprise Server for SAP applications 16.0 Fixed
SUSE Linux Enterprise Server for SAP applications 16.1 Fixed

Share

CVE-2026-32627 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy