CVE-2026-45372 yhirose CVE debrief

Who should care

Organizations running HTTP servers built with cpp-httplib versions before 0.44.0, particularly those exposed to untrusted client requests or positioned behind reverse proxies where request smuggling could compromise security boundaries.

Technical summary

The cpp-httplib library's server-side request parsing applies percent-decoding to header values after running the is_field_value validity check. This timing discrepancy allows %0D%0A sequences to pass validation as benign encoded characters, then expand to literal CRLF bytes in the stored header value. The exception for Location and Referer headers indicates awareness of header-specific handling without extending protection to other headers. The vulnerability enables HTTP response splitting attacks where attackers inject header terminators to manipulate downstream parsing, and contributes to HTTP request smuggling when combined with desynchronized parsing between front-end and back-end systems. The fix in 0.44.0 restructures validation to account for percent-decoded values.

Defensive priority

critical

Recommended defensive actions

• Upgrade cpp-httplib to version 0.44.0 or later
• Audit applications using cpp-httplib for header injection vulnerabilities in request handling
• Implement WAF rules to detect and block percent-encoded CRLF sequences (%0D%0A) in HTTP headers
• Review proxy and load balancer configurations for HTTP request smuggling protections
• Monitor for anomalous HTTP traffic patterns indicating header manipulation attempts

Evidence notes

CVE published 2026-05-29T20:16:26.473Z; modified 2026-05-29T20:23:08.683Z. Advisory confirms fix in 0.44.0. CVSS 9.9 CRITICAL with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L. CWE-93 (Improper Neutralization of CRLF Sequences) and CWE-444 (HTTP Request/Response Smuggling) identified.

Official resources