CRLF Injection in cpp-httplib HTTP/HTTPS Library by yhirose
CVE-2026-21428

7.7HIGH

Key Information:

Vendor: Yhirose
Status: Cpp-httplib
Vendor: CVE Published:; 1 January 2026

What is CVE-2026-21428?

The cpp-httplib library, a cross-platform HTTP/HTTPS client, is susceptible to a CRLF injection vulnerability due to insufficient validation of user-supplied header values in the write_headers function. This flaw allows attackers to inject additional headers, manipulate the request body unexpectedly, and potentially conduct server-side request forgery (SSRF) attacks. Such risks are particularly pronounced when used with servers supporting HTTP/1.1 pipelining, such as Spring Boot or Python Twisted. Users are advised to upgrade to version 0.30.0 or later to mitigate these vulnerabilities.