Search criteria
9 vulnerabilities found for cpp-httplib by cpp-httplib_project
FKIE_CVE-2025-46728
Vulnerability from fkie_nvd - Published: 2025-05-06 01:15 - Updated: 2025-08-01 21:25
Severity ?
Summary
cpp-httplib is a C++ header-only HTTP/HTTPS server and client library. Prior to version 0.20.1, the library fails to enforce configured size limits on incoming request bodies when `Transfer-Encoding: chunked` is used or when no `Content-Length` header is provided. A remote attacker can send a chunked request without the terminating zero-length chunk, causing uncontrolled memory allocation on the server. This leads to potential exhaustion of system memory and results in a server crash or unresponsiveness. Version 0.20.1 fixes the issue by enforcing limits during parsing. If the limit is exceeded at any point during reading, the connection is terminated immediately. A short-term workaround through a Reverse Proxy is available. If updating the library immediately is not feasible, deploy a reverse proxy (e.g., Nginx, HAProxy) in front of the `cpp-httplib` application. Configure the proxy to enforce maximum request body size limits, thereby stopping excessively large requests before they reach the vulnerable library code.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| cpp-httplib_project | cpp-httplib | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:cpp-httplib_project:cpp-httplib:*:*:*:*:*:*:*:*",
"matchCriteriaId": "080C33DC-9FA8-4E78-B951-975B1CEB2A2D",
"versionEndExcluding": "0.20.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "cpp-httplib is a C++ header-only HTTP/HTTPS server and client library. Prior to version 0.20.1, the library fails to enforce configured size limits on incoming request bodies when `Transfer-Encoding: chunked` is used or when no `Content-Length` header is provided. A remote attacker can send a chunked request without the terminating zero-length chunk, causing uncontrolled memory allocation on the server. This leads to potential exhaustion of system memory and results in a server crash or unresponsiveness. Version 0.20.1 fixes the issue by enforcing limits during parsing. If the limit is exceeded at any point during reading, the connection is terminated immediately. A short-term workaround through a Reverse Proxy is available. If updating the library immediately is not feasible, deploy a reverse proxy (e.g., Nginx, HAProxy) in front of the `cpp-httplib` application. Configure the proxy to enforce maximum request body size limits, thereby stopping excessively large requests before they reach the vulnerable library code."
},
{
"lang": "es",
"value": "cpp-httplib es una librer\u00eda de cliente y servidor HTTP/HTTPS de solo encabezado de C++. Antes de la versi\u00f3n 0.20.1, la librer\u00eda no aplicaba los l\u00edmites de tama\u00f1o configurados en los cuerpos de las solicitudes entrantes cuando se usaba `Transfer-Encoding: chunked` o cuando no se proporcionaba el encabezado `Content-Length`. Un atacante remoto podr\u00eda enviar una solicitud fragmentada sin el fragmento de longitud cero de terminaci\u00f3n, lo que causaba una asignaci\u00f3n de memoria incontrolada en el servidor. Esto podr\u00eda agotar la memoria del sistema y provocar un bloqueo o falta de respuesta del servidor. La versi\u00f3n 0.20.1 soluciona el problema aplicando l\u00edmites durante el an\u00e1lisis. Si se supera el l\u00edmite en cualquier momento durante la lectura, la conexi\u00f3n se termina inmediatamente. Existe una soluci\u00f3n temporal a trav\u00e9s de un proxy inverso. Si no es posible actualizar la librer\u00eda inmediatamente, implemente un proxy inverso (p. ej., Nginx, HAProxy) delante de la aplicaci\u00f3n `cpp-httplib`. Configure el proxy para aplicar l\u00edmites de tama\u00f1o m\u00e1ximo en el cuerpo de la solicitud, deteniendo as\u00ed las solicitudes excesivamente grandes antes de que lleguen al c\u00f3digo de la librer\u00eda vulnerable."
}
],
"id": "CVE-2025-46728",
"lastModified": "2025-08-01T21:25:50.847",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-05-06T01:15:50.790",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/yhirose/cpp-httplib/commit/7b752106ac42bd5b907793950d9125a0972c8e8e"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-px83-72rx-v57c"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
FKIE_CVE-2023-26130
Vulnerability from fkie_nvd - Published: 2023-05-30 05:15 - Updated: 2024-11-21 07:50
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
Versions of the package yhirose/cpp-httplib before 0.12.4 are vulnerable to CRLF Injection when untrusted user input is used to set the content-type header in the HTTP .Patch, .Post, .Put and .Delete requests. This can lead to logical errors and other misbehaviors.
**Note:** This issue is present due to an incomplete fix for [CVE-2020-11709](https://security.snyk.io/vuln/SNYK-UNMANAGED-YHIROSECPPHTTPLIB-2366507).
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| cpp-httplib_project | cpp-httplib | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:cpp-httplib_project:cpp-httplib:*:*:*:*:*:*:*:*",
"matchCriteriaId": "82D45946-8A73-4582-8C24-7B6F4955A9BF",
"versionEndExcluding": "0.12.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Versions of the package yhirose/cpp-httplib before 0.12.4 are vulnerable to CRLF Injection when untrusted user input is used to set the content-type header in the HTTP .Patch, .Post, .Put and .Delete requests. This can lead to logical errors and other misbehaviors.\r\r**Note:** This issue is present due to an incomplete fix for [CVE-2020-11709](https://security.snyk.io/vuln/SNYK-UNMANAGED-YHIROSECPPHTTPLIB-2366507)."
}
],
"id": "CVE-2023-26130",
"lastModified": "2024-11-21T07:50:50.233",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "report@snyk.io",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-05-30T05:15:10.640",
"references": [
{
"source": "report@snyk.io",
"tags": [
"Third Party Advisory"
],
"url": "https://gist.github.com/dellalibera/094aece17a86069a7d27f93c8aba2280"
},
{
"source": "report@snyk.io",
"tags": [
"Patch"
],
"url": "https://github.com/yhirose/cpp-httplib/commit/5b397d455d25a391ba346863830c1949627b4d08"
},
{
"source": "report@snyk.io",
"tags": [
"Release Notes"
],
"url": "https://github.com/yhirose/cpp-httplib/releases/tag/v0.12.4"
},
{
"source": "report@snyk.io",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2RY6PKBU73I45L6YWNYCUK2XBEXEFX7L/"
},
{
"source": "report@snyk.io",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JY2E7EIRWQMKH6GY4OZOWWBZBY3Q7CGS/"
},
{
"source": "report@snyk.io",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYODHZECXYFC2BNODZPZXZAXOKGMCYAP/"
},
{
"source": "report@snyk.io",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U6MO4FSKYNSAJVUXYP7LRY7ARUIGKBFL/"
},
{
"source": "report@snyk.io",
"tags": [
"Third Party Advisory"
],
"url": "https://security.snyk.io/vuln/SNYK-UNMANAGED-YHIROSECPPHTTPLIB-5591194"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://gist.github.com/dellalibera/094aece17a86069a7d27f93c8aba2280"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/yhirose/cpp-httplib/commit/5b397d455d25a391ba346863830c1949627b4d08"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/yhirose/cpp-httplib/releases/tag/v0.12.4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2RY6PKBU73I45L6YWNYCUK2XBEXEFX7L/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JY2E7EIRWQMKH6GY4OZOWWBZBY3Q7CGS/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYODHZECXYFC2BNODZPZXZAXOKGMCYAP/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U6MO4FSKYNSAJVUXYP7LRY7ARUIGKBFL/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.snyk.io/vuln/SNYK-UNMANAGED-YHIROSECPPHTTPLIB-5591194"
}
],
"sourceIdentifier": "report@snyk.io",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-93"
}
],
"source": "report@snyk.io",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2020-11709
Vulnerability from fkie_nvd - Published: 2020-04-12 14:15 - Updated: 2025-08-05 20:28
Severity ?
Summary
cpp-httplib through 0.5.8 does not filter \r\n in parameters passed into the set_redirect and set_header functions, which creates possibilities for CRLF injection and HTTP response splitting in some specific contexts.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://gist.github.com/shouc/a9330df817128bc4c4132abf3de09495 | Exploit, Third Party Advisory | |
| cve@mitre.org | https://github.com/yhirose/cpp-httplib/issues/425 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://gist.github.com/shouc/a9330df817128bc4c4132abf3de09495 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/yhirose/cpp-httplib/issues/425 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| yhirose | cpp-httplib | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:yhirose:cpp-httplib:*:*:*:*:*:*:*:*",
"matchCriteriaId": "23DFCE35-58B9-4C91-99BB-D0FEDB63F3E8",
"versionEndIncluding": "0.5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "cpp-httplib through 0.5.8 does not filter \\r\\n in parameters passed into the set_redirect and set_header functions, which creates possibilities for CRLF injection and HTTP response splitting in some specific contexts."
},
{
"lang": "es",
"value": "cpp-httplib versiones hasta 0.5.8, no filtra \\r\\n en los par\u00e1metros pasados a las funciones set_redirect y set_header, lo que crea posibilidades para la inyecci\u00f3n de CRLF y la divisi\u00f3n de respuestas HTTP en algunos contextos espec\u00edficos."
}
],
"id": "CVE-2020-11709",
"lastModified": "2025-08-05T20:28:36.623",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-04-12T14:15:10.750",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://gist.github.com/shouc/a9330df817128bc4c4132abf3de09495"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/yhirose/cpp-httplib/issues/425"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://gist.github.com/shouc/a9330df817128bc4c4132abf3de09495"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/yhirose/cpp-httplib/issues/425"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2025-46728 (GCVE-0-2025-46728)
Vulnerability from cvelistv5 – Published: 2025-05-06 00:45 – Updated: 2025-05-06 02:43
VLAI?
Summary
cpp-httplib is a C++ header-only HTTP/HTTPS server and client library. Prior to version 0.20.1, the library fails to enforce configured size limits on incoming request bodies when `Transfer-Encoding: chunked` is used or when no `Content-Length` header is provided. A remote attacker can send a chunked request without the terminating zero-length chunk, causing uncontrolled memory allocation on the server. This leads to potential exhaustion of system memory and results in a server crash or unresponsiveness. Version 0.20.1 fixes the issue by enforcing limits during parsing. If the limit is exceeded at any point during reading, the connection is terminated immediately. A short-term workaround through a Reverse Proxy is available. If updating the library immediately is not feasible, deploy a reverse proxy (e.g., Nginx, HAProxy) in front of the `cpp-httplib` application. Configure the proxy to enforce maximum request body size limits, thereby stopping excessively large requests before they reach the vulnerable library code.
Severity ?
7.5 (High)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| yhirose | cpp-httplib |
Affected:
< 0.20.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-46728",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-06T02:43:34.093374Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T02:43:44.757Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cpp-httplib",
"vendor": "yhirose",
"versions": [
{
"status": "affected",
"version": "\u003c 0.20.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "cpp-httplib is a C++ header-only HTTP/HTTPS server and client library. Prior to version 0.20.1, the library fails to enforce configured size limits on incoming request bodies when `Transfer-Encoding: chunked` is used or when no `Content-Length` header is provided. A remote attacker can send a chunked request without the terminating zero-length chunk, causing uncontrolled memory allocation on the server. This leads to potential exhaustion of system memory and results in a server crash or unresponsiveness. Version 0.20.1 fixes the issue by enforcing limits during parsing. If the limit is exceeded at any point during reading, the connection is terminated immediately. A short-term workaround through a Reverse Proxy is available. If updating the library immediately is not feasible, deploy a reverse proxy (e.g., Nginx, HAProxy) in front of the `cpp-httplib` application. Configure the proxy to enforce maximum request body size limits, thereby stopping excessively large requests before they reach the vulnerable library code."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T00:45:25.130Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-px83-72rx-v57c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-px83-72rx-v57c"
},
{
"name": "https://github.com/yhirose/cpp-httplib/commit/7b752106ac42bd5b907793950d9125a0972c8e8e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/yhirose/cpp-httplib/commit/7b752106ac42bd5b907793950d9125a0972c8e8e"
}
],
"source": {
"advisory": "GHSA-px83-72rx-v57c",
"discovery": "UNKNOWN"
},
"title": "cpp-httplib has Unbounded Memory Allocation in Chunked/No-Length Requests"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-46728",
"datePublished": "2025-05-06T00:45:25.130Z",
"dateReserved": "2025-04-28T20:56:09.084Z",
"dateUpdated": "2025-05-06T02:43:44.757Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-26130 (GCVE-0-2023-26130)
Vulnerability from cvelistv5 – Published: 2023-05-30 05:00 – Updated: 2025-02-13 16:44
VLAI?
Summary
Versions of the package yhirose/cpp-httplib before 0.12.4 are vulnerable to CRLF Injection when untrusted user input is used to set the content-type header in the HTTP .Patch, .Post, .Put and .Delete requests. This can lead to logical errors and other misbehaviors.
**Note:** This issue is present due to an incomplete fix for [CVE-2020-11709](https://security.snyk.io/vuln/SNYK-UNMANAGED-YHIROSECPPHTTPLIB-2366507).
Severity ?
7.5 (High)
CWE
- CWE-93 - CRLF Injection
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | yhirose/cpp-httplib |
Affected:
0 , < 0.12.4
(semver)
|
Credits
Alessio Della Libera
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:yhirose:cpp-httplib:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cpp-httplib",
"vendor": "yhirose",
"versions": [
{
"lessThan": "0.12.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-26130",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-21T17:28:43.927254Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-28T19:22:51.208Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:39:06.601Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://security.snyk.io/vuln/SNYK-UNMANAGED-YHIROSECPPHTTPLIB-5591194"
},
{
"tags": [
"x_transferred"
],
"url": "https://gist.github.com/dellalibera/094aece17a86069a7d27f93c8aba2280"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/yhirose/cpp-httplib/releases/tag/v0.12.4"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/yhirose/cpp-httplib/commit/5b397d455d25a391ba346863830c1949627b4d08"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JY2E7EIRWQMKH6GY4OZOWWBZBY3Q7CGS/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U6MO4FSKYNSAJVUXYP7LRY7ARUIGKBFL/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2RY6PKBU73I45L6YWNYCUK2XBEXEFX7L/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYODHZECXYFC2BNODZPZXZAXOKGMCYAP/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "yhirose/cpp-httplib",
"vendor": "n/a",
"versions": [
{
"lessThan": "0.12.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Alessio Della Libera"
}
],
"descriptions": [
{
"lang": "en",
"value": "Versions of the package yhirose/cpp-httplib before 0.12.4 are vulnerable to CRLF Injection when untrusted user input is used to set the content-type header in the HTTP .Patch, .Post, .Put and .Delete requests. This can lead to logical errors and other misbehaviors.\r\r**Note:** This issue is present due to an incomplete fix for [CVE-2020-11709](https://security.snyk.io/vuln/SNYK-UNMANAGED-YHIROSECPPHTTPLIB-2366507)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CRLF Injection",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-02T03:06:14.205Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"url": "https://security.snyk.io/vuln/SNYK-UNMANAGED-YHIROSECPPHTTPLIB-5591194"
},
{
"url": "https://gist.github.com/dellalibera/094aece17a86069a7d27f93c8aba2280"
},
{
"url": "https://github.com/yhirose/cpp-httplib/releases/tag/v0.12.4"
},
{
"url": "https://github.com/yhirose/cpp-httplib/commit/5b397d455d25a391ba346863830c1949627b4d08"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JY2E7EIRWQMKH6GY4OZOWWBZBY3Q7CGS/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U6MO4FSKYNSAJVUXYP7LRY7ARUIGKBFL/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2RY6PKBU73I45L6YWNYCUK2XBEXEFX7L/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYODHZECXYFC2BNODZPZXZAXOKGMCYAP/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2023-26130",
"datePublished": "2023-05-30T05:00:02.254Z",
"dateReserved": "2023-02-20T10:28:48.924Z",
"dateUpdated": "2025-02-13T16:44:51.068Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-11709 (GCVE-0-2020-11709)
Vulnerability from cvelistv5 – Published: 2020-04-12 13:30 – Updated: 2024-08-04 11:35
VLAI?
Summary
cpp-httplib through 0.5.8 does not filter \r\n in parameters passed into the set_redirect and set_header functions, which creates possibilities for CRLF injection and HTTP response splitting in some specific contexts.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:35:13.775Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/yhirose/cpp-httplib/issues/425"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gist.github.com/shouc/a9330df817128bc4c4132abf3de09495"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "cpp-httplib through 0.5.8 does not filter \\r\\n in parameters passed into the set_redirect and set_header functions, which creates possibilities for CRLF injection and HTTP response splitting in some specific contexts."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-12T13:30:29",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/yhirose/cpp-httplib/issues/425"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://gist.github.com/shouc/a9330df817128bc4c4132abf3de09495"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-11709",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "cpp-httplib through 0.5.8 does not filter \\r\\n in parameters passed into the set_redirect and set_header functions, which creates possibilities for CRLF injection and HTTP response splitting in some specific contexts."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/yhirose/cpp-httplib/issues/425",
"refsource": "MISC",
"url": "https://github.com/yhirose/cpp-httplib/issues/425"
},
{
"name": "https://gist.github.com/shouc/a9330df817128bc4c4132abf3de09495",
"refsource": "MISC",
"url": "https://gist.github.com/shouc/a9330df817128bc4c4132abf3de09495"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-11709",
"datePublished": "2020-04-12T13:30:29",
"dateReserved": "2020-04-12T00:00:00",
"dateUpdated": "2024-08-04T11:35:13.775Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-46728 (GCVE-0-2025-46728)
Vulnerability from nvd – Published: 2025-05-06 00:45 – Updated: 2025-05-06 02:43
VLAI?
Summary
cpp-httplib is a C++ header-only HTTP/HTTPS server and client library. Prior to version 0.20.1, the library fails to enforce configured size limits on incoming request bodies when `Transfer-Encoding: chunked` is used or when no `Content-Length` header is provided. A remote attacker can send a chunked request without the terminating zero-length chunk, causing uncontrolled memory allocation on the server. This leads to potential exhaustion of system memory and results in a server crash or unresponsiveness. Version 0.20.1 fixes the issue by enforcing limits during parsing. If the limit is exceeded at any point during reading, the connection is terminated immediately. A short-term workaround through a Reverse Proxy is available. If updating the library immediately is not feasible, deploy a reverse proxy (e.g., Nginx, HAProxy) in front of the `cpp-httplib` application. Configure the proxy to enforce maximum request body size limits, thereby stopping excessively large requests before they reach the vulnerable library code.
Severity ?
7.5 (High)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| yhirose | cpp-httplib |
Affected:
< 0.20.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-46728",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-06T02:43:34.093374Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T02:43:44.757Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cpp-httplib",
"vendor": "yhirose",
"versions": [
{
"status": "affected",
"version": "\u003c 0.20.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "cpp-httplib is a C++ header-only HTTP/HTTPS server and client library. Prior to version 0.20.1, the library fails to enforce configured size limits on incoming request bodies when `Transfer-Encoding: chunked` is used or when no `Content-Length` header is provided. A remote attacker can send a chunked request without the terminating zero-length chunk, causing uncontrolled memory allocation on the server. This leads to potential exhaustion of system memory and results in a server crash or unresponsiveness. Version 0.20.1 fixes the issue by enforcing limits during parsing. If the limit is exceeded at any point during reading, the connection is terminated immediately. A short-term workaround through a Reverse Proxy is available. If updating the library immediately is not feasible, deploy a reverse proxy (e.g., Nginx, HAProxy) in front of the `cpp-httplib` application. Configure the proxy to enforce maximum request body size limits, thereby stopping excessively large requests before they reach the vulnerable library code."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T00:45:25.130Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-px83-72rx-v57c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-px83-72rx-v57c"
},
{
"name": "https://github.com/yhirose/cpp-httplib/commit/7b752106ac42bd5b907793950d9125a0972c8e8e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/yhirose/cpp-httplib/commit/7b752106ac42bd5b907793950d9125a0972c8e8e"
}
],
"source": {
"advisory": "GHSA-px83-72rx-v57c",
"discovery": "UNKNOWN"
},
"title": "cpp-httplib has Unbounded Memory Allocation in Chunked/No-Length Requests"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-46728",
"datePublished": "2025-05-06T00:45:25.130Z",
"dateReserved": "2025-04-28T20:56:09.084Z",
"dateUpdated": "2025-05-06T02:43:44.757Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-26130 (GCVE-0-2023-26130)
Vulnerability from nvd – Published: 2023-05-30 05:00 – Updated: 2025-02-13 16:44
VLAI?
Summary
Versions of the package yhirose/cpp-httplib before 0.12.4 are vulnerable to CRLF Injection when untrusted user input is used to set the content-type header in the HTTP .Patch, .Post, .Put and .Delete requests. This can lead to logical errors and other misbehaviors.
**Note:** This issue is present due to an incomplete fix for [CVE-2020-11709](https://security.snyk.io/vuln/SNYK-UNMANAGED-YHIROSECPPHTTPLIB-2366507).
Severity ?
7.5 (High)
CWE
- CWE-93 - CRLF Injection
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | yhirose/cpp-httplib |
Affected:
0 , < 0.12.4
(semver)
|
Credits
Alessio Della Libera
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:yhirose:cpp-httplib:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cpp-httplib",
"vendor": "yhirose",
"versions": [
{
"lessThan": "0.12.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-26130",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-21T17:28:43.927254Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-28T19:22:51.208Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:39:06.601Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://security.snyk.io/vuln/SNYK-UNMANAGED-YHIROSECPPHTTPLIB-5591194"
},
{
"tags": [
"x_transferred"
],
"url": "https://gist.github.com/dellalibera/094aece17a86069a7d27f93c8aba2280"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/yhirose/cpp-httplib/releases/tag/v0.12.4"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/yhirose/cpp-httplib/commit/5b397d455d25a391ba346863830c1949627b4d08"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JY2E7EIRWQMKH6GY4OZOWWBZBY3Q7CGS/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U6MO4FSKYNSAJVUXYP7LRY7ARUIGKBFL/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2RY6PKBU73I45L6YWNYCUK2XBEXEFX7L/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYODHZECXYFC2BNODZPZXZAXOKGMCYAP/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "yhirose/cpp-httplib",
"vendor": "n/a",
"versions": [
{
"lessThan": "0.12.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Alessio Della Libera"
}
],
"descriptions": [
{
"lang": "en",
"value": "Versions of the package yhirose/cpp-httplib before 0.12.4 are vulnerable to CRLF Injection when untrusted user input is used to set the content-type header in the HTTP .Patch, .Post, .Put and .Delete requests. This can lead to logical errors and other misbehaviors.\r\r**Note:** This issue is present due to an incomplete fix for [CVE-2020-11709](https://security.snyk.io/vuln/SNYK-UNMANAGED-YHIROSECPPHTTPLIB-2366507)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CRLF Injection",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-02T03:06:14.205Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"url": "https://security.snyk.io/vuln/SNYK-UNMANAGED-YHIROSECPPHTTPLIB-5591194"
},
{
"url": "https://gist.github.com/dellalibera/094aece17a86069a7d27f93c8aba2280"
},
{
"url": "https://github.com/yhirose/cpp-httplib/releases/tag/v0.12.4"
},
{
"url": "https://github.com/yhirose/cpp-httplib/commit/5b397d455d25a391ba346863830c1949627b4d08"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JY2E7EIRWQMKH6GY4OZOWWBZBY3Q7CGS/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U6MO4FSKYNSAJVUXYP7LRY7ARUIGKBFL/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2RY6PKBU73I45L6YWNYCUK2XBEXEFX7L/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYODHZECXYFC2BNODZPZXZAXOKGMCYAP/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2023-26130",
"datePublished": "2023-05-30T05:00:02.254Z",
"dateReserved": "2023-02-20T10:28:48.924Z",
"dateUpdated": "2025-02-13T16:44:51.068Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-11709 (GCVE-0-2020-11709)
Vulnerability from nvd – Published: 2020-04-12 13:30 – Updated: 2024-08-04 11:35
VLAI?
Summary
cpp-httplib through 0.5.8 does not filter \r\n in parameters passed into the set_redirect and set_header functions, which creates possibilities for CRLF injection and HTTP response splitting in some specific contexts.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:35:13.775Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/yhirose/cpp-httplib/issues/425"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gist.github.com/shouc/a9330df817128bc4c4132abf3de09495"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "cpp-httplib through 0.5.8 does not filter \\r\\n in parameters passed into the set_redirect and set_header functions, which creates possibilities for CRLF injection and HTTP response splitting in some specific contexts."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-12T13:30:29",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/yhirose/cpp-httplib/issues/425"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://gist.github.com/shouc/a9330df817128bc4c4132abf3de09495"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-11709",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "cpp-httplib through 0.5.8 does not filter \\r\\n in parameters passed into the set_redirect and set_header functions, which creates possibilities for CRLF injection and HTTP response splitting in some specific contexts."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/yhirose/cpp-httplib/issues/425",
"refsource": "MISC",
"url": "https://github.com/yhirose/cpp-httplib/issues/425"
},
{
"name": "https://gist.github.com/shouc/a9330df817128bc4c4132abf3de09495",
"refsource": "MISC",
"url": "https://gist.github.com/shouc/a9330df817128bc4c4132abf3de09495"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-11709",
"datePublished": "2020-04-12T13:30:29",
"dateReserved": "2020-04-12T00:00:00",
"dateUpdated": "2024-08-04T11:35:13.775Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}