CVE-2026-46527 yhirose CVE debrief

Who should care

Organizations running cpp-httplib-based HTTP servers with trusted proxy configurations, particularly those exposed to untrusted client traffic. Developers maintaining C++ HTTP services and security teams monitoring for DoS vulnerabilities in header parsing implementations.

Technical summary

The vulnerability stems from insufficient validation of X-Forwarded-For header parsing results. When Server::set_trusted_proxies() is configured with a non-empty list, the server attempts to extract client IP addresses from X-Forwarded-For headers. If the header value contains no parseable IP segments, the resulting std::vector remains empty. The get_client_ip() function then calls front() on this empty container, invoking undefined behavior per the C++ standard. In practice, this causes process crashes (SIGSEGV or similar), resulting in denial of service. The issue is classified as CWE-476 (NULL Pointer Dereference) though the specific manifestation is undefined behavior on empty container access.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade cpp-httplib to version 0.44.0 or later
• If immediate patching is not possible, validate X-Forwarded-For header format before processing or disable trusted proxy functionality
• Monitor application logs for abnormal terminations that may indicate exploitation attempts
• Enable AddressSanitizer or UndefinedBehaviorSanitizer in testing environments to detect similar issues

Evidence notes

The vulnerability description is sourced from the official GitHub Security Advisory GHSA-hg3g-vrg8-578g, with CVSS vector and weakness classification (CWE-476: NULL Pointer Dereference) provided by NVD. The fix version 0.44.0 is explicitly stated in the advisory.

Official resources