Skip to main content

cpp-httplib CVE-2026-46527

| EUVDEUVD-2026-33426 HIGH
NULL Pointer Dereference (CWE-476)
2026-05-29 GitHub_M
8.7
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
May 29, 2026 - 21:02 EUVD
Analysis Generated
May 29, 2026 - 20:32 vuln.today
CVSS changed
May 29, 2026 - 20:22 NVD
8.7 (HIGH)

DescriptionGitHub Advisory

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.44.0, When the server has called Server::set_trusted_proxies() with a non-empty trusted-proxy list, an attacker can send an HTTP request that includes an X-Forwarded-For header whose value parses to no valid IP segments. The code path then executes get_client_ip(), which calls front() on an empty std::vector-undefined behavior in C++. On typical implementations this manifests as abnormal process termination (denial of service). With Sanitizers enabled, you get an explicit runtime diagnostic. This vulnerability is fixed in 0.44.0.

AnalysisAI

Denial of service in cpp-httplib (C++ header-only HTTP/HTTPS library) versions prior to 0.44.0 allows remote unauthenticated attackers to crash server processes by sending an HTTP request with a malformed X-Forwarded-For header. The flaw is reachable only when the application has configured a non-empty trusted-proxy list via Server::set_trusted_proxies(). CVSS 4.0 scores this 8.7 (high) due to network reachability and high availability impact; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Technical ContextAI

cpp-httplib is a widely embedded single-file C++11 HTTP/HTTPS library maintained by yhirose, used to add HTTP server/client capability to native applications without external dependencies. The root cause is CWE-476 (NULL Pointer Dereference), though here it presents as a related undefined-behavior pattern: get_client_ip() invokes front() on an empty std::vector<> after the X-Forwarded-For parser returns no valid IP segments. Calling front() on an empty vector is undefined behavior in C++ and on typical libstdc++/libc++ implementations dereferences an invalid pointer, terminating the process; with ASan/UBSan the runtime emits an explicit diagnostic. The affected CPE is cpe:2.3:a:yhirose:cpp-httplib:*:*:*:*:*:*:*:* covering all versions prior to 0.44.0.

RemediationAI

Vendor-released patch: upgrade to cpp-httplib 0.44.0 or later and rebuild all downstream binaries that statically include the header, per advisory GHSA-hg3g-vrg8-578g (https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-hg3g-vrg8-578g). If immediate upgrade is not feasible, the most direct workaround is to remove or empty the Server::set_trusted_proxies() call so the vulnerable code path is never reached - note this disables proxy-aware client-IP resolution, which will cause downstream logging, rate limiting, and ACLs to see the proxy's IP rather than the real client. Alternatively, strip or sanitize incoming X-Forwarded-For headers at the upstream reverse proxy (e.g., nginx proxy_set_header) so malformed values never reach the cpp-httplib server, accepting the operational cost of an additional proxy layer enforcement.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Server 16.0 Fixed
SUSE Linux Enterprise Server 16.1 Fixed
SUSE Linux Enterprise Server for SAP applications 16.0 Fixed
SUSE Linux Enterprise Server for SAP applications 16.1 Fixed
openSUSE Leap 16.0 Fixed

Share

CVE-2026-46527 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy