The cpp-httplib library, a popular C++11 single-header HTTP/HTTPS library, prior to version 0.27.0 contains a critical authentication bypass vulnerability (CVE-2025-66570) stemming from improper handling of HTTP headers. Specifically, attacker-controlled headers named REMOTE_ADDR, REMOTE_PORT, LOCAL_ADDR, and LOCAL_PORT are parsed into the request's header multimap before the server appends its own internal metadata headers with the same names. Because the Request::get_header_value method returns the first instance of a header key, the client-supplied headers take precedence over the server-generated ones. This header shadowing enables attackers to spoof client IP addresses and ports, poison logs, and bypass authorization mechanisms that rely on these headers for client identification or access control. The vulnerability affects multiple code locations within cpp-httplib, including read_headers(), Server::process_request(), and logging functions in docker/main.cc. Exploitation requires no authentication or user interaction and can be performed remotely by sending crafted HTTP requests with malicious headers. The flaw compromises confidentiality and integrity by allowing attackers to impersonate trusted clients or evade detection. The vulnerability is fixed in version 0.27.0 by ensuring server-generated metadata headers override or replace client-supplied headers with the same names. No known exploits are currently reported in the wild, but the critical CVSS score of 10.0 highlights the urgent need for patching.

For European organizations, this vulnerability poses a significant risk to web services and applications that incorporate the vulnerable cpp-httplib library. Attackers can spoof IP addresses and ports, leading to unauthorized access if IP-based authentication or authorization is used. Log poisoning can obscure attack traces or mislead incident response efforts, complicating forensic investigations. Confidentiality is at risk as attackers may impersonate legitimate clients to access sensitive data or services. Integrity is compromised because authorization decisions based on spoofed headers can allow privilege escalation or unauthorized actions. Availability is less directly impacted but could be affected if attackers leverage the bypass to perform further attacks. Given the library's cross-platform nature and use in embedded and server applications, the scope of affected systems is broad. European organizations in sectors such as finance, healthcare, government, and critical infrastructure that rely on cpp-httplib for HTTP communications are particularly vulnerable. The vulnerability's ease of exploitation without authentication or user interaction increases the likelihood of attacks, especially in environments with exposed HTTP endpoints.

European organizations should immediately identify any use of cpp-httplib versions prior to 0.27.0 in their software stacks, including embedded systems, internal tools, and third-party applications. The primary mitigation is to upgrade to cpp-httplib version 0.27.0 or later, where the vulnerability is fixed by proper header handling. If upgrading is not immediately feasible, organizations should implement strict input validation and filtering at the network perimeter or application firewall to block or sanitize suspicious HTTP headers named REMOTE_ADDR, REMOTE_PORT, LOCAL_ADDR, and LOCAL_PORT. Application-level logging and authorization code should be reviewed to ensure they do not trust client-supplied headers for critical decisions. Employing additional authentication factors beyond IP-based checks can reduce risk. Monitoring logs for anomalous header values or repeated attempts to inject spoofed headers can aid early detection. Finally, organizations should conduct security testing and code reviews to verify no other header injection or spoofing vulnerabilities exist in their HTTP handling components.