CVE-2026-54919 in cpp-httplibinfo

Summary

by MITRE • 07/10/2026

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. In affected Mbed TLS backend versions from 0.31.0 through 0.46.1 and wolfSSL backend versions from 0.33.0 through 0.46.1, when cpp-httplib is built with CPPHTTPLIB_MBEDTLS_SUPPORT or CPPHTTPLIB_WOLFSSL_SUPPORT and a client connects to an IP-literal host with server certificate verification enabled, SSLClient and Client in HTTPS mode skip certificate chain validation and WebSocketClient on the Mbed TLS backend skips verification altogether, allowing a man-in-the-middle attacker positioned to intercept traffic to present a crafted certificate and read or modify the traffic. This issue is fixed in version 0.47.0.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/10/2026

The vulnerability in cpp-httplib affects versions 0.31.0 through 0.46.1 when built with either Mbed TLS or wolfSSL backend support, creating a critical security flaw that undermines the fundamental purpose of SSL/TLS certificate verification. This issue specifically targets the handling of IP-literal hosts during HTTPS connections where certificate validation is bypassed entirely, leaving applications vulnerable to man-in-the-middle attacks. The flaw occurs because the library fails to properly validate server certificates when connecting to hosts specified as IP literals, which are defined in RFC 3986 as IPv4 or IPv6 addresses enclosed in square brackets. When cpp-httplib is compiled with CPPHTTPLIB_MBEDTLS_SUPPORT or CPPHTTPLIB_WOLFSSL_SUPPORT macros enabled, the SSLClient and Client classes in HTTPS mode skip certificate chain validation for these specific connection patterns.

The technical implementation of this vulnerability stems from how the library processes hostname verification during SSL/TLS handshakes when IP addresses are used instead of domain names. In standard SSL/TLS implementations, certificate validation should occur regardless of whether a host is specified as a domain name or IP address, as certificates are validated against the subject alternative names and common names present in the certificate. However, cpp-httplib's Mbed TLS backend fails to enforce proper hostname matching for IP-literal hosts, allowing connections to proceed even when the presented certificate does not match the expected server identity. The WebSocketClient implementation on Mbed TLS backend exhibits an even more severe flaw as it completely skips verification without any exception handling or fallback mechanisms, creating a complete bypass of security controls.

The operational impact of this vulnerability is significant for any application using cpp-httplib with SSL/TLS support and connecting to IP-literal hosts. Attackers positioned in the network path between client and server can intercept traffic and present forged certificates that would otherwise be rejected by proper certificate validation mechanisms. This allows attackers to decrypt and modify sensitive data transmitted over HTTPS connections, potentially compromising authentication tokens, personal information, financial data, or proprietary business information. The vulnerability affects both HTTP and WebSocket protocols within the library, making it particularly dangerous for applications that rely on secure communication channels for real-time data exchange or API interactions. Organizations using cpp-httplib in production environments where IP-literal connections are common face elevated risk of data breaches and security incidents.

Organizations should immediately upgrade to version 0.47.0 or later to address this vulnerability, as the fix resolves the certificate validation bypass by properly implementing hostname verification for IP-literal hosts. System administrators should conduct comprehensive audits of applications using cpp-httplib to identify all instances where SSL/TLS support is enabled and IP-literal connections are possible. Security teams should implement network monitoring to detect potential exploitation attempts through unusual certificate validation patterns or unexpected connection behaviors. The vulnerability aligns with CWE-295 which addresses improper certificate validation, and maps to ATT&CK technique T1041 for data encryption using stolen credentials, as well as T1566 for credential harvesting through man-in-the-middle attacks. Additional mitigations include implementing network segmentation to limit exposure, monitoring for suspicious certificate usage patterns, and ensuring proper certificate management policies are in place to prevent unauthorized certificate issuance within the organization's infrastructure.

Responsible

GitHub M

Reservation

06/16/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!