The cpp-httplib library is a popular C++11 single-header HTTP/HTTPS library used for building cross-platform web servers and clients. In versions prior to 0.35.0, if a request handler throws a C++ exception and the application developer has not registered a custom exception handler using set_exception_handler(), the library internally catches the exception and writes the exception's message directly into the HTTP response header named EXCEPTION_WHAT. This header is sent back to the client that made the request without any authentication or authorization checks, effectively exposing internal exception details to unauthorized actors. Since this behavior is enabled by default, developers unaware of this mechanism may inadvertently ship servers that leak sensitive debugging or internal state information. Such information disclosure can reveal implementation details, internal error messages, or other sensitive data that could assist attackers in reconnaissance or crafting targeted attacks. The vulnerability is tracked as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and has a CVSS 3.1 base score of 5.3 (medium severity), reflecting its ease of exploitation (network accessible, no privileges or user interaction required) but limited impact (confidentiality only, no integrity or availability impact). The issue is resolved in cpp-httplib version 0.35.0 by requiring explicit registration of a custom exception handler to control exception message exposure, thus preventing automatic leakage of exception details in HTTP headers.

This vulnerability primarily impacts the confidentiality of information processed by servers using vulnerable versions of cpp-httplib. By exposing internal exception messages to any unauthenticated client, attackers can gain insights into the server's internal logic, error conditions, and possibly sensitive data embedded in exception messages. This information can facilitate further attacks such as crafting more precise injection attacks, identifying software versions, or uncovering other vulnerabilities. Although it does not directly affect integrity or availability, the information disclosure can be a critical step in a multi-stage attack. Organizations deploying cpp-httplib-based servers in production environments risk leaking sensitive debugging or operational details, which can undermine security posture and compliance requirements. The vulnerability is especially concerning for internet-facing services where attackers can freely send requests to trigger exceptions and harvest the leaked information. However, no known exploits are reported in the wild as of now, which may limit immediate impact but does not reduce the urgency of remediation.

To mitigate this vulnerability, organizations should upgrade cpp-httplib to version 0.35.0 or later, where the issue is fixed by requiring explicit registration of a custom exception handler. If upgrading is not immediately feasible, developers should implement and register a custom exception handler via set_exception_handler() that safely handles exceptions without exposing sensitive details in HTTP responses. This handler should log exception details securely on the server side and return generic error messages to clients. Additionally, developers should audit their code to ensure no other mechanisms leak internal information. Network-level protections such as web application firewalls (WAFs) can be configured to detect and block suspicious requests that might trigger exceptions. Monitoring HTTP response headers for unexpected EXCEPTION_WHAT headers can help detect vulnerable deployments. Finally, security teams should incorporate this vulnerability into their vulnerability management and patching processes to ensure timely remediation.