EUVD-2026-16515
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
4Description
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.39.0, the cpp-httplib HTTP client forwards stored Basic Auth, Bearer Token, and Digest Auth credentials to arbitrary hosts when following cross-origin HTTP redirects (301/302/307/308). A malicious or compromised server can redirect the client to an attacker-controlled host, which then receives the plaintext credentials in the `Authorization` header. Version 0.39.0 fixes the issue.
Analysis
The cpp-httplib HTTP/HTTPS client library (versions prior to 0.39.0) leaks authentication credentials to arbitrary third-party servers when following cross-origin HTTP redirects. An attacker operating a malicious server can issue a 301/302/307/308 redirect to capture plaintext Basic Auth, Bearer Token, or Digest Auth credentials from the Authorization header. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all internal and third-party applications using cpp-httplib and document current versions. Within 7 days: Evaluate upgrade path to cpp-httplib 0.39.0 or later and test in non-production environments; prioritize applications handling sensitive authentication or accessing critical systems. …
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today