Skip to main content

cpp-httplib EUVDEUVD-2026-42942

| CVE-2026-54919 HIGH
Improper Certificate Validation (CWE-295)
2026-07-10 GitHub_M
7.4
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.4 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
7.4 HIGH

AC:H reflects the required MITM position and non-default backend/IP-literal preconditions; PR:N/UI:N as attacker needs no auth or victim action; C:H/I:H for read-and-modify, A:N.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Patch available
Jul 10, 2026 - 18:01 EUVD
Analysis Generated
Jul 10, 2026 - 17:01 vuln.today

DescriptionCVE.org

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. In affected Mbed TLS backend versions from 0.31.0 through 0.46.1 and wolfSSL backend versions from 0.33.0 through 0.46.1, when cpp-httplib is built with CPPHTTPLIB_MBEDTLS_SUPPORT or CPPHTTPLIB_WOLFSSL_SUPPORT and a client connects to an IP-literal host with server certificate verification enabled, SSLClient and Client in HTTPS mode skip certificate chain validation and WebSocketClient on the Mbed TLS backend skips verification altogether, allowing a man-in-the-middle attacker positioned to intercept traffic to present a crafted certificate and read or modify the traffic. This issue is fixed in version 0.47.0.

AnalysisAI

TLS certificate validation bypass in cpp-httplib's Mbed TLS backend (0.31.0-0.46.1) and wolfSSL backend (0.33.0-0.46.1) lets a man-in-the-middle attacker defeat HTTPS/WSS protection when a client connects to an IP-literal host with verification nominally enabled. SSLClient/Client in HTTPS mode skip certificate chain validation and the WebSocketClient on Mbed TLS skips verification entirely, so an intercepting attacker can present a crafted certificate and read or alter traffic. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain MITM position on client's network path
Delivery
Wait for HTTPS/WSS connection to IP-literal host
Exploit
Present crafted untrusted certificate
Execution
Client skips chain validation and accepts
Persist
Decrypt and relay session
Impact
Read or modify sensitive traffic

Vulnerability AssessmentAI

Exploitation Exploitation requires all of the following concrete conditions: the target application must be compiled with CPPHTTPLIB_MBEDTLS_SUPPORT (Mbed TLS backend, versions 0.31.0-0.46.1) or CPPHTTPLIB_WOLFSSL_SUPPORT (wolfSSL backend, versions 0.33.0-0.46.1); the client (SSLClient/Client in HTTPS mode, or WebSocketClient on Mbed TLS) must connect to an IP-literal host rather than a DNS hostname; server certificate verification must be enabled (the bug is that it is silently skipped anyway); and the attacker must occupy a man-in-the-middle position able to intercept and relay the victim's traffic. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N, base 7.4 High) is internally consistent with a MITM certificate-validation bypass: no authentication or user interaction is required, but AC:H correctly reflects the precondition that the attacker must already hold a privileged network position to intercept traffic. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can position themselves on the network path (rogue Wi-Fi, ARP/DNS spoofing, or a compromised upstream hop) waits for a cpp-httplib client built with the Mbed TLS or wolfSSL backend to make an HTTPS or WebSocket connection to a server addressed by IP literal. The attacker terminates the TLS session with a self-signed or otherwise untrusted certificate, which the client accepts without chain validation, letting the attacker transparently read and modify API credentials, tokens, or payloads. …
Remediation Vendor-released patch: upgrade the bundled cpp-httplib header to version 0.47.0 or later (https://github.com/yhirose/cpp-httplib/releases/tag/v0.47.0), which corresponds to fix commit fa981cedae004ea9d946f1392b9dec22fac6fee6; because cpp-httplib is header-only, downstream projects must rebuild after replacing the header rather than relying on a shared-library update. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all internal and third-party applications using cpp-httplib 0.31.0-0.46.1 (Mbed TLS backend) or 0.33.0-0.46.1 (wolfSSL backend); flag as high-priority risk. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-66570 CRITICAL POC
10.0 Dec 05

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.27.0, a vulnerability allow

CVE-2025-53628 HIGH POC
8.8 Jul 10

CVE-2025-53628 is a memory exhaustion vulnerability in cpp-httplib versions prior to 0.20.1 that allows unauthenticated

CVE-2025-46728 HIGH POC
7.5 May 06

cpp-httplib is a C++ header-only HTTP/HTTPS server and client library. Rated high severity (CVSS 7.5), this vulnerabilit

CVE-2025-52887 HIGH POC
7.5 Jun 26

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. In version 0.21.0, when many http head

CVE-2025-53629 HIGH POC
7.5 Jul 10

CVE-2025-53629 is a Denial of Service vulnerability in cpp-httplib versions prior to 0.23.0 that allows unauthenticated

CVE-2026-22776 HIGH POC
7.5 Jan 12

cpp-httplib versions prior to 0.30.1 are vulnerable to denial of service attacks due to insufficient validation of decom

CVE-2026-28435 HIGH POC
7.5 Mar 04

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. [CVSS 7.5 HIGH]

CVE-2026-21428 HIGH POC
7.5 Jan 01

Cpp-Httplib versions up to 0.30.0 contains a vulnerability that allows attackers to add extra headers, modify request bo

CVE-2020-11709 HIGH POC
7.5 Apr 12

cpp-httplib through 0.5.8 does not filter \r\n in parameters passed into the set_redirect and set_header functions, whic

CVE-2026-29076 MEDIUM POC
5.9 Mar 07

Remote denial of service in cpp-httplib prior to version 0.37.0 allows unauthenticated attackers to crash server process

CVE-2025-66577 MEDIUM POC
5.3 Dec 05

A security vulnerability in cpp-httplib (CVSS 5.3) that allows attacker-controlled http headers. Risk factors: public Po

CVE-2026-28434 MEDIUM POC
5.3 Mar 04

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. [CVSS 5.3 MEDIUM]

Share

EUVD-2026-42942 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy