Back

Critical CRLF Injection Vulnerability in cpp-httplib (CVE-2026-45372)

Severity: High (Score: 72.6)

Sources: infosec.exchange, vuldb.com, Feedly, exploit-intel.com, www.thehackerwire.com

Published: 2026-05-30 · Updated: 2026-05-30

Keywords: cpp-httplib, http, header, percent-decoding, single-file, header-only, cross

Severity indicators: critical, rce, pla, CVE:CVE-2026-45372, CVE:CVE-2026-45372

Summary

A critical vulnerability, CVE-2026-45372, has been identified in cpp-httplib, a C++11 HTTP/HTTPS library. The flaw allows attackers to inject carriage return and newline byte pairs into HTTP header values due to improper percent-decoding handling. This issue affects all versions prior to 0.44.0 and has a CVSS score of 9.9, indicating high severity. Exploitation requires network access to a vulnerable server, potentially leading to serious attacks such as response splitting and request smuggling. No public proof-of-concept exploits are available yet, but users are strongly advised to upgrade to version 0.44.0 or newer to mitigate the risk. The vulnerability was first reported on May 29, 2026. Key Points: • CVE-2026-45372 is a critical CRLF injection vulnerability in cpp-httplib. • The flaw affects all versions prior to 0.44.0 and has a CVSS score of 9.9. • Users are urged to upgrade to cpp-httplib version 0.44.0 or later to mitigate risks.

Detailed Analysis

**Impact** Organizations using cpp-httplib versions prior to 0.44.0 are affected globally, particularly those deploying C++11 single-file header-only HTTP/HTTPS servers. The vulnerability enables critical HTTP-level attacks such as response splitting and request smuggling, potentially leading to data manipulation or interception. No specific sectors or data volumes are detailed in the sources. **Technical Details** The vulnerability (CVE-2026-45372) arises from improper percent-decoding of HTTP header values during server-side parsing, allowing injection of carriage return and newline characters (%0D%0A) after the validity check. This flaw affects cpp-httplib versions up to 0.43.x and is fixed in version 0.44.0. Exploitation requires network access to a vulnerable server; no public proof-of-concept exploits or IOCs are reported. **Recommended Response** Upgrade cpp-httplib to version 0.44.0 or later immediately to mitigate the vulnerability. Monitor network traffic for anomalous HTTP header behavior indicative of response splitting or request smuggling. No specific detection signatures or IOCs are currently available; defenders should maintain vigilance on HTTP header parsing anomalies.

Source articles (5)

  • CVE-2026-45372 - Exploits & Severity — Feedly · 2026-05-29
    cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.44.0, when cpp-httplib's server parses an incoming request, it applies percent-decoding to every header val…
  • CVE-2026-45372: cpp-httplib: HTTP header value percent-decoding in server-side `parse_header` enables CRLF injection [CRITICAL] CVSS 9.9 Exploit Intelligence — Recent CVEs / 16h cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.44.0, when cpp-httplib's server parses an incoming request, it applies percent-decoding to every header value except Location and Referer. The validity check (is_field_value) is run before decoding, so encod — exploit-intel.com · 2026-05-30
    cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.44.0, when cpp-httplib's server parses an incoming request, it applies percent-decoding to every header val…
  • cpp-httplib Critical Header Parsing Vulnerability (CVE-2026-45372) TheHackerWire / 17h The vulnerability allows an attacker to inject literal carriage return and newline () byte pairs into stored HTTP header values due to incorrect handling of percent-encoded input, potentially leading to various HTTP-level attacks. Specifically, versions prior to 0.44.0 exhibit a logic flaw where percent-decoding is applied to nearly all header values after a crucial validity check. — www.thehackerwire.com · 2026-05-30
  • VulDB :verified: / 5h A lot of offensive activities were identified targeting yhirose cpp-httplib (CVE-2026-45372) https:// vuldb.com/vuln/367381/cti — infosec.exchange · 2026-05-30
  • CVE-2026-45372 | yhirose cpp-httplib up to 0.43.x is_field_value crlf injection (GHSA-xjxg-64p4-vj4m) VulDB Recent Entries / 10h A vulnerability was found in yhirose cpp-httplib up to 0.43.x . It has been declared as critical . This affects the function is_field_value . The manipulation results in crlf injection. This vulnerability is known as CVE-2026-45372 . It is possible to launch the attack remotely. No exploit is available. It is recommended to upgrade the affected component. — vuldb.com · 2026-05-30

Timeline

  • 2026-05-29 — CVE-2026-45372 published: CVE-2026-45372 details a critical header parsing vulnerability in cpp-httplib, allowing CRLF injection.
  • 2026-05-30 — Exploit details reported: Exploit-Intel published details on CVE-2026-45372, emphasizing the risk of HTTP-level attacks.

CVEs

  • CVE-2026-45372

Related entities

  • Cpp-httplib (Platform)
  • CRLF Injection (Vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed