The cpp-httplib library is a widely used, single-header C++11 library for HTTP and HTTPS client-server communication. In versions before 0.37.2, a critical flaw exists when the client is configured to use a proxy and enabled to follow HTTP redirects (set_follow_location(true)). Specifically, if the client receives an HTTPS redirect response, it disables TLS certificate and hostname verification on the subsequent redirected connection. This means the client will accept any TLS certificate presented by the redirect target without validation, including expired, self-signed, or maliciously forged certificates. This improper certificate validation (CWE-295) effectively allows a man-in-the-middle (MITM) attacker who can inject or manipulate redirect responses to intercept and decrypt the redirected HTTPS traffic. Such interception can expose sensitive information like credentials, session tokens, and other confidential data transmitted over the connection. The vulnerability is particularly dangerous because it occurs silently without alerting the application or user, undermining the fundamental trust model of TLS. The issue is fixed in cpp-httplib version 0.37.2 by restoring proper certificate and hostname verification on redirected HTTPS connections. The CVSS 3.1 score of 8.7 reflects the high confidentiality and integrity impact, network attack vector, no privileges or user interaction required, and the scope change due to redirect handling. No known exploits have been reported in the wild yet.

Organizations using vulnerable versions of cpp-httplib in their software, especially those relying on proxy configurations and automatic redirect following, face significant risks. An attacker positioned on the network path—such as on compromised Wi-Fi networks, ISP-level attackers, or malicious proxies—can exploit this flaw to intercept and manipulate HTTPS traffic that should be secure. This can lead to credential theft, session hijacking, data leakage, and unauthorized access to protected resources. The silent failure of certificate validation increases the likelihood that such attacks go undetected. The vulnerability undermines the security guarantees of TLS, potentially affecting any application built on cpp-httplib that handles sensitive data or authentication tokens. Given the library’s cross-platform nature and use in embedded systems, IoT devices, and custom applications, the scope of impact can be broad. Although no exploits are known in the wild yet, the ease of exploitation and high impact make timely patching critical to prevent compromise.

The primary mitigation is to upgrade all affected cpp-httplib instances to version 0.37.2 or later, where the certificate validation issue on HTTPS redirects is fixed. For organizations unable to immediately upgrade, a temporary workaround is to disable automatic redirect following (set_follow_location(false)) when using proxies, thereby preventing the vulnerable code path from executing. Additionally, network-level protections such as enforcing strict TLS inspection policies, using secure proxy configurations that validate certificates, and employing network segmentation to limit exposure to untrusted networks can reduce risk. Application developers should also implement additional certificate pinning or validation layers where feasible to detect anomalies. Monitoring network traffic for unexpected redirects and anomalous TLS certificates can help detect exploitation attempts. Finally, educating developers and security teams about the risks of improper certificate validation and ensuring secure coding practices in HTTP client implementations is essential.