Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.44.0, When the server has called Server::set_trusted_proxies() with a non-empty trusted-proxy list, an attacker can send an HTTP request that includes an X-Forwarded-For header whose value parses to no valid IP segments. The code path then executes get_client_ip(), which calls front() on an empty std::vector-undefined behavior in C++. On typical implementations this manifests as abnormal process termination (denial of service). With Sanitizers enabled, you get an explicit runtime diagnostic. This vulnerability is fixed in 0.44.0.
AnalysisAI
Denial of service in cpp-httplib (C++ header-only HTTP/HTTPS library) versions prior to 0.44.0 allows remote unauthenticated attackers to crash server processes by sending an HTTP request with a malformed X-Forwarded-For header. The flaw is reachable only when the application has configured a non-empty trusted-proxy list via Server::set_trusted_proxies(). CVSS 4.0 scores this 8.7 (high) due to network reachability and high availability impact; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Technical ContextAI
cpp-httplib is a widely embedded single-file C++11 HTTP/HTTPS library maintained by yhirose, used to add HTTP server/client capability to native applications without external dependencies. The root cause is CWE-476 (NULL Pointer Dereference), though here it presents as a related undefined-behavior pattern: get_client_ip() invokes front() on an empty std::vector<> after the X-Forwarded-For parser returns no valid IP segments. Calling front() on an empty vector is undefined behavior in C++ and on typical libstdc++/libc++ implementations dereferences an invalid pointer, terminating the process; with ASan/UBSan the runtime emits an explicit diagnostic. The affected CPE is cpe:2.3:a:yhirose:cpp-httplib:*:*:*:*:*:*:*:* covering all versions prior to 0.44.0.
RemediationAI
Vendor-released patch: upgrade to cpp-httplib 0.44.0 or later and rebuild all downstream binaries that statically include the header, per advisory GHSA-hg3g-vrg8-578g (https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-hg3g-vrg8-578g). If immediate upgrade is not feasible, the most direct workaround is to remove or empty the Server::set_trusted_proxies() call so the vulnerable code path is never reached - note this disables proxy-aware client-IP resolution, which will cause downstream logging, rate limiting, and ACLs to see the proxy's IP rather than the real client. Alternatively, strip or sanitize incoming X-Forwarded-For headers at the upstream reverse proxy (e.g., nginx proxy_set_header) so malformed values never reach the cpp-httplib server, accepting the operational cost of an additional proxy layer enforcement.
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Null Pointer Dereference
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
| openSUSE Leap 16.0 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33426