yhirose cpp-httplib up to 0.26.x Request Header httplib.h read_headers authentication spoofing

Summaryinfo

A vulnerability identified as critical has been detected in yhirose cpp-httplib up to 0.26.x. Affected is the function read_headers in the library httplib.h of the component Request Header Handler. The manipulation leads to authentication spoofing. This vulnerability is listed as CVE-2025-66570. The attack may be initiated remotely. There is no available exploit. You should upgrade the affected component.

Detailsinfo

A vulnerability was found in yhirose cpp-httplib up to 0.26.x and classified as critical. This issue affects the function read_headers in the library httplib.h of the component Request Header Handler. The manipulation with an unknown input leads to a authentication spoofing vulnerability. Using CWE to declare the problem leads to CWE-290. This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.27.0, a vulnerability allows attacker-controlled HTTP headers to influence server-visible metadata, logging, and authorization decisions. An attacker can inject headers named REMOTE_ADDR, REMOTE_PORT, LOCAL_ADDR, LOCAL_PORT that are parsed into the request header multimap via read_headers() in httplib.h (headers.emplace), then the server later appends its own internal metadata using the same header names in Server::process_request without erasing duplicates. Because Request::get_header_value returns the first entry for a header key (id == 0) and the client-supplied headers are parsed before server-inserted headers, downstream code that uses these header names may inadvertently use attacker-controlled values. Affected files/locations: cpp-httplib/httplib.h (read_headers, Server::process_request, Request::get_header_value, get_header_value_u64) and cpp-httplib/docker/main.cc (get_client_ip, nginx_access_logger, nginx_error_logger). Attack surface: attacker-controlled HTTP headers in incoming requests flow into the Request.headers multimap and into logging code that reads forwarded headers, enabling IP spoofing, log poisoning, and authorization bypass via header shadowing. This vulnerability is fixed in 0.27.0.

The advisory is shared at github.com. The identification of this vulnerability is CVE-2025-66570 since 12/04/2025. The exploitation is known to be easy. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. Technical details are known, but no exploit is available.

The vulnerability scanner Nessus provides a plugin with the ID 277659 (Linux Distros Unpatched Vulnerability : CVE-2025-66570), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 0.27.0 eliminates this vulnerability. Applying the patch ac9ebb0ee333ce8bf13523f487bdfad9518a2aff is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the vulnerability database at Tenable (277659). Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Vendor

• yhirose

Name

• cpp-httplib

Version

• 0.1
• 0.2
• 0.3
• 0.4
• 0.5
• 0.6
• 0.7
• 0.8
• 0.9
• 0.10
• 0.11
• 0.12
• 0.13
• 0.14
• 0.15
• 0.16
• 0.17
• 0.18
• 0.19
• 0.20
• 0.21
• 0.22
• 0.23
• 0.24
• 0.25
• 0.26

License

• open-source

Website

• Product: https://github.com/yhirose/cpp-httplib/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion