CVE-2025-66577 affects cpp-httplib, a widely used C++11 single-header HTTP/HTTPS library, in versions prior to 0.27.0. The vulnerability arises from improper output neutralization for logs (CWE-117) and improper access control (CWE-807) related to how the library processes certain HTTP headers. Specifically, the get_client_ip() function in docker/main.cc accepts X-Forwarded-For and X-Real-IP headers without validation, allowing an attacker to supply arbitrary IP addresses. These spoofed IPs are then recorded in server access and error logs (e.g., nginx_access_logger and nginx_error_logger), leading to log poisoning and audit evasion. This can mislead administrators and security tools by obscuring the true source of requests, complicating incident response and forensic investigations. The vulnerability is remotely exploitable without authentication or user interaction, increasing its risk profile. Although it does not directly compromise confidentiality or availability, the integrity of security-critical logs is undermined. The issue was addressed in cpp-httplib version 0.27.0 by implementing proper validation and neutralization of attacker-controlled headers before logging. No known exploits are reported in the wild as of the publication date.

For European organizations, the primary impact is on the integrity and reliability of security logs, which are essential for monitoring, incident detection, and forensic analysis. Log poisoning can allow attackers to hide their true IP addresses, complicating attribution and response efforts. This is particularly critical for sectors with strict compliance and auditing requirements such as finance, healthcare, and critical infrastructure. Organizations relying on cpp-httplib in web servers, embedded systems, or IoT devices may face increased risk of stealthy attacks or unauthorized access attempts going undetected. While the vulnerability does not directly affect system confidentiality or availability, the degradation of log trustworthiness can indirectly facilitate more severe attacks by masking attacker activities. The lack of authentication or user interaction required for exploitation means attackers can remotely and easily attempt to exploit this vulnerability, increasing the likelihood of abuse if unpatched.

1. Upgrade cpp-httplib to version 0.27.0 or later immediately to apply the official fix. 2. Implement additional validation and sanitization of HTTP headers such as X-Forwarded-For and X-Real-IP at the application or proxy level to prevent spoofed IP addresses from being logged. 3. Configure logging systems to correlate client IPs with other metadata (e.g., TCP connection info) to detect inconsistencies indicative of spoofing. 4. Employ anomaly detection on logs to identify unusual patterns or impossible IP address sequences that may suggest log poisoning. 5. Harden access to logging infrastructure and restrict who can modify logging configurations to prevent tampering. 6. Conduct regular audits of logs and cross-check with network-level data to ensure log integrity. 7. For organizations using cpp-httplib in embedded or IoT devices, ensure firmware updates include the patched library version and verify update mechanisms are secure. 8. Educate security teams about the risks of log poisoning and the importance of validating client IP information.