cpp-httplib is a widely used single-header C++11 library facilitating HTTP and HTTPS client-server communication. In versions before 0.37.2, a critical flaw exists when the client is configured with a proxy and the option set_follow_location(true) is enabled. Under these conditions, if the server issues an HTTPS redirect, the library disables TLS certificate and hostname verification on the new redirected connection without notifying the application. This means the client will accept any TLS certificate presented by the redirect target, including expired, self-signed, or maliciously forged certificates. The root cause is improper certificate validation (CWE-295) during HTTPS redirects in proxied connections. An attacker positioned on the network path can exploit this by injecting a redirect response to a malicious HTTPS endpoint with an invalid certificate, thereby intercepting and decrypting all traffic on the redirected connection. This includes sensitive data such as credentials, session tokens, and other confidential information. The vulnerability does not require user interaction or authentication but does require the attacker to be able to manipulate network traffic (man-in-the-middle). The issue is resolved in cpp-httplib version 0.37.2, where proper certificate validation is enforced on redirected HTTPS connections even when a proxy is used.

This vulnerability severely compromises the confidentiality and integrity of HTTPS communications made using vulnerable cpp-httplib clients configured with proxies and automatic redirect following. Attackers with network access can perform man-in-the-middle attacks by injecting malicious redirects and presenting invalid TLS certificates that the client will accept without error. This enables interception and potential modification of sensitive data such as authentication credentials, session cookies, and other private information transmitted over HTTPS. Organizations relying on cpp-httplib in proxy environments, especially in internal networks or cloud infrastructures where proxies are common, face risks of credential theft, session hijacking, and data leakage. The vulnerability undermines the fundamental trust model of TLS, potentially exposing critical systems and user data to attackers. Although exploitation requires network-level access, the widespread use of proxies and automatic redirect following in HTTP clients increases the attack surface. The flaw does not affect availability but has high impact on confidentiality and integrity.

Immediate mitigation requires upgrading cpp-httplib to version 0.37.2 or later where the certificate validation bug is fixed. Until upgrade is possible, organizations should disable automatic redirect following (set_follow_location(false)) when using proxies to prevent the vulnerable code path. Network defenses such as strict proxy controls, TLS interception detection, and network segmentation can reduce exposure to man-in-the-middle attackers. Application developers should audit their use of cpp-httplib to confirm proxy and redirect configurations and ensure TLS verification is enforced. Employing additional TLS validation layers or certificate pinning at the application level can provide defense in depth. Monitoring network traffic for unexpected redirects and anomalous TLS certificates can help detect exploitation attempts. Finally, educating developers and security teams about this specific vulnerability and its conditions is critical to prevent misconfiguration and exploitation.