Skip to main content

Suse EUVDEUVD-2026-17672

| CVE-2026-34441 MEDIUM
HTTP Request/Response Smuggling (CWE-444)
2026-03-31 GitHub_M
4.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.8 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
SUSE
MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
0.40.0
EUVD ID Assigned
Mar 31, 2026 - 21:46 euvd
EUVD-2026-17672
Analysis Generated
Mar 31, 2026 - 21:46 vuln.today
CVE Published
Mar 31, 2026 - 21:21 nvd
MEDIUM 4.8

DescriptionGitHub Advisory

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.40.0, cpp-httplib is vulnerable to HTTP Request Smuggling. The server's static file handler serves GET responses without consuming the request body. On HTTP/1.1 keep-alive connections, the unread body bytes remain on the TCP stream and are interpreted as the start of a new HTTP request. An attacker can embed an arbitrary HTTP request inside the body of a GET request, which the server processes as a separate request. This issue has been patched in version 0.40.0.

AnalysisAI

HTTP Request Smuggling in cpp-httplib prior to 0.40.0 allows remote attackers to inject arbitrary HTTP requests on HTTP/1.1 keep-alive connections by embedding malicious request data in the body of GET requests that the static file handler does not consume. The unread body bytes remain on the TCP stream and are interpreted as a new request, enabling information disclosure and request manipulation without authentication or user interaction.

Technical ContextAI

cpp-httplib is a C++11 header-only HTTP/HTTPS library commonly used in embedded and standalone HTTP server implementations. The vulnerability stems from improper request body handling in the static file GET response handler, which violates HTTP/1.1 semantics (RFC 7230) requiring complete body consumption before pipelining. CWE-444 (Improper Restriction of Rendered UI Layers or Frames) maps to a broader category of request/response protocol handling flaws. The root cause is that when serving static files via GET requests, the handler does not read and discard the request body before returning the response. On keep-alive connections, this leaves unconsumed bytes on the TCP socket, which HTTP/1.1 clients interpret as the start of the next request in the pipeline. An attacker can craft a GET request with a body containing a fully-formed HTTP request (e.g., POST to /admin, HEAD to sensitive endpoints), which the server then processes as a legitimate second request.

RemediationAI

Vendor-released patch: cpp-httplib 0.40.0 and later. Update the cpp-httplib header file or dependency to version 0.40.0 or newer, which fixes the request body handling in the static file GET handler. No workaround for older versions is documented; patching is the primary mitigation. For immediate protection while patching is pending, disable HTTP/1.1 keep-alive by configuring connections to close after each response (Connection: close headers), or disable static file serving if not required. Reference the security advisory at https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-jv63-rm9j-6jwc and release notes at https://github.com/yhirose/cpp-httplib/releases/tag/v0.40.0.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Server 16.0 Fixed
SUSE Linux Enterprise Server 16.1 Fixed
SUSE Linux Enterprise Server for SAP applications 16.0 Fixed
SUSE Linux Enterprise Server for SAP applications 16.1 Fixed

Share

EUVD-2026-17672 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy