Skip to main content

Cpp Httplib CVE-2026-33745

| EUVDEUVD-2026-16515 HIGH
Information Exposure (CWE-200)
2026-03-27 GitHub_M
7.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.4 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
SUSE
HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 27, 2026 - 01:15 euvd
EUVD-2026-16515
Analysis Generated
Mar 27, 2026 - 01:15 vuln.today
CVE Published
Mar 27, 2026 - 00:46 nvd
HIGH 7.4

DescriptionGitHub Advisory

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.39.0, the cpp-httplib HTTP client forwards stored Basic Auth, Bearer Token, and Digest Auth credentials to arbitrary hosts when following cross-origin HTTP redirects (301/302/307/308). A malicious or compromised server can redirect the client to an attacker-controlled host, which then receives the plaintext credentials in the Authorization header. Version 0.39.0 fixes the issue.

AnalysisAI

The cpp-httplib HTTP/HTTPS client library (versions prior to 0.39.0) leaks authentication credentials to arbitrary third-party servers when following cross-origin HTTP redirects. An attacker operating a malicious server can issue a 301/302/307/308 redirect to capture plaintext Basic Auth, Bearer Token, or Digest Auth credentials from the Authorization header. CVSS score of 7.4 reflects high confidentiality and integrity impact with network attack vector and high complexity; no public exploit identified at time of analysis.

Technical ContextAI

cpp-httplib is a single-file header-only C++11 cross-platform HTTP/HTTPS library maintained by yhirose. The affected product is identified via CPE cpe:2.3:a:yhirose:cpp-httplib:*:*:*:*:*:*:*:*. The vulnerability represents CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) where the HTTP client implementation fails to strip authorization credentials when processing cross-origin redirects. RFC 7235 best practices recommend clients avoid sending credentials to different origins, but the library's redirect handling logic did not implement this protection, causing stored authentication material to persist across domain boundaries during automatic redirect following.

RemediationAI

Upgrade cpp-httplib to version 0.39.0 or later, which implements proper credential stripping during cross-origin redirects. The vendor-released patch is available as version 0.39.0 per the GitHub security advisory at https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-6hrp-7fq9-3qv2. For applications unable to upgrade immediately, implement application-layer controls including disabling automatic redirect following and handling redirects manually with explicit credential management logic, validating redirect target origins against an allowlist before retransmitting authentication headers, or using per-origin credential storage rather than global client-level authentication. Review application logs for unexpected cross-origin redirect sequences that may indicate historical credential exposure.

CVE-2025-66570 CRITICAL POC
10.0 Dec 05

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.27.0, a vulnerability allow

CVE-2025-53628 HIGH POC
8.8 Jul 10

CVE-2025-53628 is a memory exhaustion vulnerability in cpp-httplib versions prior to 0.20.1 that allows unauthenticated

CVE-2025-46728 HIGH POC
7.5 May 06

cpp-httplib is a C++ header-only HTTP/HTTPS server and client library. Rated high severity (CVSS 7.5), this vulnerabilit

CVE-2025-52887 HIGH POC
7.5 Jun 26

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. In version 0.21.0, when many http head

CVE-2025-53629 HIGH POC
7.5 Jul 10

CVE-2025-53629 is a Denial of Service vulnerability in cpp-httplib versions prior to 0.23.0 that allows unauthenticated

CVE-2026-22776 HIGH POC
7.5 Jan 12

cpp-httplib versions prior to 0.30.1 are vulnerable to denial of service attacks due to insufficient validation of decom

CVE-2026-28435 HIGH POC
7.5 Mar 04

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. [CVSS 7.5 HIGH]

CVE-2026-21428 HIGH POC
7.5 Jan 01

Cpp-Httplib versions up to 0.30.0 contains a vulnerability that allows attackers to add extra headers, modify request bo

CVE-2020-11709 HIGH POC
7.5 Apr 12

cpp-httplib through 0.5.8 does not filter \r\n in parameters passed into the set_redirect and set_header functions, whic

CVE-2026-29076 MEDIUM POC
5.9 Mar 07

Remote denial of service in cpp-httplib prior to version 0.37.0 allows unauthenticated attackers to crash server process

CVE-2025-66577 MEDIUM POC
5.3 Dec 05

A security vulnerability in cpp-httplib (CVSS 5.3) that allows attacker-controlled http headers. Risk factors: public Po

CVE-2026-28434 MEDIUM POC
5.3 Mar 04

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. [CVSS 5.3 MEDIUM]

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Server 16.0 Fixed
SUSE Linux Enterprise Server 16.1 Fixed
SUSE Linux Enterprise Server for SAP applications 16.0 Fixed
SUSE Linux Enterprise Server for SAP applications 16.1 Fixed

Share

CVE-2026-33745 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy