CRLF Injection in cpp-httplib HTTP/HTTPS Library by yhirose
CVE-2026-21428

7.7HIGH

Key Information:

Vendor

Yhirose

Status
Cpp-httplib
Vendor
CVE Published:
1 January 2026

What is CVE-2026-21428?

The cpp-httplib library, a cross-platform HTTP/HTTPS client, is susceptible to a CRLF injection vulnerability due to insufficient validation of user-supplied header values in the write_headers function. This flaw allows attackers to inject additional headers, manipulate the request body unexpectedly, and potentially conduct server-side request forgery (SSRF) attacks. Such risks are particularly pronounced when used with servers supporting HTTP/1.1 pipelining, such as Spring Boot or Python Twisted. Users are advised to upgrade to version 0.30.0 or later to mitigate these vulnerabilities.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

cpp-httplib < 0.30.0

References

https://github.com/yhirose/cpp-httplib/security/advisorie...
x_refsource_CONFIRM
https://github.com/yhirose/cpp-httplib/commit/98048a033a5...
x_refsource_MISC
https://github.com/yhirose/cpp-httplib/releases/tag/v0.30.0
x_refsource_MISC

CVSS V4

Score:
7.7
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.