CVE-2025-66570 is an authentication bypass vulnerability in the yhirose cpp-httplib library, a widely used C++11 single-header HTTP/HTTPS client-server library. Versions prior to 0.27.0 improperly handle certain HTTP headers that influence server-side metadata and authorization decisions. Specifically, attacker-controlled headers named REMOTE_ADDR, REMOTE_PORT, LOCAL_ADDR, and LOCAL_PORT are parsed into the request header multimap via the read_headers() function without filtering or validation. The server later appends its own internal metadata using the same header names in Server::process_request but does not erase duplicates. Because Request::get_header_value returns the first header entry, which is attacker-supplied, downstream code relying on these headers for IP-based authorization or logging uses spoofed values. This allows attackers to spoof client IP addresses, poison logs, and bypass authorization checks that depend on these headers. The vulnerability affects key functions in httplib.h and related logging code in docker/main.cc. The attack surface includes any incoming HTTP requests where the attacker can inject headers. Exploitation requires no authentication or user interaction and can be performed remotely over the network. The vulnerability has a CVSS 3.1 base score of 10.0 (critical) due to its high impact on confidentiality and integrity and ease of exploitation. No known exploits are currently reported in the wild. The issue is resolved in cpp-httplib version 0.27.0 by properly handling duplicate headers and ensuring server-generated metadata cannot be overridden by client input.

For European organizations, this vulnerability poses a significant risk especially to those using cpp-httplib in web servers, microservices, or embedded systems that rely on HTTP headers for client identification and authorization. Attackers can spoof IP addresses to bypass IP-based access controls, potentially gaining unauthorized access to sensitive systems or data. Log poisoning can obscure attack traces or mislead incident response teams, complicating forensic investigations. Critical infrastructure sectors such as finance, healthcare, and government services that use C++ libraries for backend services are particularly vulnerable. The ability to bypass authentication without credentials or user interaction increases the risk of automated attacks and lateral movement within networks. Organizations relying on cpp-httplib for internal or external APIs may face data breaches or service disruptions. The vulnerability undermines trust in logging and monitoring systems, which are essential for compliance with European data protection regulations like GDPR. Failure to patch promptly could lead to regulatory penalties and reputational damage.

The primary mitigation is to upgrade all instances of cpp-httplib to version 0.27.0 or later, where this vulnerability is fixed. Organizations should audit their codebases and dependencies to identify usage of vulnerable cpp-httplib versions. Additionally, implement strict validation and sanitization of incoming HTTP headers, especially those related to client IP and port information. Servers should avoid relying solely on client-supplied headers for authorization decisions and instead use secure, server-controlled mechanisms for client identification. Logging systems must be hardened to detect and reject suspicious or duplicate headers that could indicate spoofing attempts. Network-level protections such as Web Application Firewalls (WAFs) can be configured to block or alert on anomalous header patterns. Security teams should enhance monitoring for unusual access patterns and conduct regular penetration testing to verify the effectiveness of mitigations. Finally, ensure incident response plans include procedures for detecting and responding to header spoofing and log poisoning attacks.