CVE-2026-45372: CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') in yhirose cpp-httplib
cpp-httplib versions prior to 0. 44. 0 contain a CRLF injection vulnerability due to improper neutralization of CRLF sequences in HTTP header values. The server applies percent-decoding to header values after validating them, allowing encoded CRLF sequences (%0D%0A) to bypass validation and be decoded into literal carriage return and line feed characters. This can lead to HTTP response splitting or header injection attacks. The vulnerability is fixed in version 0. 44. 0. The CVSS score is 9. 9, indicating critical severity.
AI Analysis
Technical Summary
cpp-httplib is a C++11 header-only HTTP/HTTPS library. Before version 0.44.0, the server component validates HTTP header values before percent-decoding them, except for Location and Referer headers. This validation allows encoded CRLF sequences (%0D%0A) to pass unchecked. After decoding, these sequences become literal CRLF characters within header values, enabling CRLF injection (CWE-93) and potentially HTTP response splitting (CWE-444). This vulnerability is resolved in version 0.44.0.
Potential Impact
An attacker can inject CRLF sequences into HTTP headers by encoding them, which bypasses the server's validation. This can lead to HTTP response splitting or header injection, potentially allowing manipulation of HTTP responses, injection of malicious headers, or other impacts on confidentiality, integrity, and availability as indicated by the CVSS vector (Confidentiality: Low, Integrity: High, Availability: Low).
Mitigation Recommendations
Upgrade cpp-httplib to version 0.44.0 or later, where this vulnerability is fixed. There is no official patch or temporary fix other than upgrading. Patch status is not explicitly stated beyond the fix in 0.44.0, so users should verify vendor advisories for the latest remediation guidance.
CVE-2026-45372: CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') in yhirose cpp-httplib
Description
cpp-httplib versions prior to 0. 44. 0 contain a CRLF injection vulnerability due to improper neutralization of CRLF sequences in HTTP header values. The server applies percent-decoding to header values after validating them, allowing encoded CRLF sequences (%0D%0A) to bypass validation and be decoded into literal carriage return and line feed characters. This can lead to HTTP response splitting or header injection attacks. The vulnerability is fixed in version 0. 44. 0. The CVSS score is 9. 9, indicating critical severity.
CVSS v3.1
Score 9.9critical
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
cpp-httplib is a C++11 header-only HTTP/HTTPS library. Before version 0.44.0, the server component validates HTTP header values before percent-decoding them, except for Location and Referer headers. This validation allows encoded CRLF sequences (%0D%0A) to pass unchecked. After decoding, these sequences become literal CRLF characters within header values, enabling CRLF injection (CWE-93) and potentially HTTP response splitting (CWE-444). This vulnerability is resolved in version 0.44.0.
Potential Impact
An attacker can inject CRLF sequences into HTTP headers by encoding them, which bypasses the server's validation. This can lead to HTTP response splitting or header injection, potentially allowing manipulation of HTTP responses, injection of malicious headers, or other impacts on confidentiality, integrity, and availability as indicated by the CVSS vector (Confidentiality: Low, Integrity: High, Availability: Low).
Mitigation Recommendations
Upgrade cpp-httplib to version 0.44.0 or later, where this vulnerability is fixed. There is no official patch or temporary fix other than upgrading. Patch status is not explicitly stated beyond the fix in 0.44.0, so users should verify vendor advisories for the latest remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-12T00:51:29.086Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Gcve Source
- db.gcve.eu
Threat ID: 6a19feb2e29bf47b500fc27f
Added to database: 5/29/2026, 9:01:38 PM
Last enriched: 5/29/2026, 9:03:29 PM
Last updated: 5/29/2026, 9:14:43 PM
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.