HTTP Header Parsing Vulnerability in cpp-httplib by Yhirose
CVE-2026-45372

9.9CRITICAL

Key Information:

Vendor: Yhirose
Status: Cpp-httplib
Vendor: CVE Published:; 29 May 2026

What is CVE-2026-45372?

The cpp-httplib library, a widely used HTTP/HTTPS C++11 single-file header-only library, has a vulnerability that affects how it processes incoming header requests. Specifically, prior to version 0.44.0, the library applies percent-decoding to every header value except for Location and Referer. This implementation flaw allows an attacker to inject encoded line breaks (%0D%0A) that can be processed erroneously, resulting in potential header manipulation. The vulnerability has been addressed and patched in version 0.44.0, which should be adopted to mitigate these security concerns.

Affected Version(s)

cpp-httplib < 0.44.0

References

https://github.com/yhirose/cpp-httplib/security/advisorie...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.9

Severity:

CRITICAL

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 29, 2026
Vulnerability Reserved
May 12, 2026

CVE-2026-45372 Data

JSON