Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.40.0, cpp-httplib is vulnerable to HTTP Request Smuggling. The server's static file handler serves GET responses without consuming the request body. On HTTP/1.1 keep-alive connections, the unread body bytes remain on the TCP stream and are interpreted as the start of a new HTTP request. An attacker can embed an arbitrary HTTP request inside the body of a GET request, which the server processes as a separate request. This issue has been patched in version 0.40.0.
AnalysisAI
HTTP Request Smuggling in cpp-httplib prior to 0.40.0 allows remote attackers to inject arbitrary HTTP requests on HTTP/1.1 keep-alive connections by embedding malicious request data in the body of GET requests that the static file handler does not consume. The unread body bytes remain on the TCP stream and are interpreted as a new request, enabling information disclosure and request manipulation without authentication or user interaction.
Technical ContextAI
cpp-httplib is a C++11 header-only HTTP/HTTPS library commonly used in embedded and standalone HTTP server implementations. The vulnerability stems from improper request body handling in the static file GET response handler, which violates HTTP/1.1 semantics (RFC 7230) requiring complete body consumption before pipelining. CWE-444 (Improper Restriction of Rendered UI Layers or Frames) maps to a broader category of request/response protocol handling flaws. The root cause is that when serving static files via GET requests, the handler does not read and discard the request body before returning the response. On keep-alive connections, this leaves unconsumed bytes on the TCP socket, which HTTP/1.1 clients interpret as the start of the next request in the pipeline. An attacker can craft a GET request with a body containing a fully-formed HTTP request (e.g., POST to /admin, HEAD to sensitive endpoints), which the server then processes as a legitimate second request.
RemediationAI
Vendor-released patch: cpp-httplib 0.40.0 and later. Update the cpp-httplib header file or dependency to version 0.40.0 or newer, which fixes the request body handling in the static file GET handler. No workaround for older versions is documented; patching is the primary mitigation. For immediate protection while patching is pending, disable HTTP/1.1 keep-alive by configuring connections to close after each response (Connection: close headers), or disable static file serving if not required. Reference the security advisory at https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-jv63-rm9j-6jwc and release notes at https://github.com/yhirose/cpp-httplib/releases/tag/v0.40.0.
Same weakness CWE-444 – HTTP Request/Response Smuggling
View allSame technique Request Smuggling
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17672