Bug 2426666 (CVE-2026-21428)

Summary: CVE-2026-21428 cpp-httplib: cpp-httplib: Server-Side Request Forgery via header injection
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in cpp-httplib, a C++ HTTP/HTTPS library. A remote attacker can exploit this vulnerability by injecting carriage return and line feed characters into user-supplied headers. This allows the attacker to add extra headers, modify the request body, and potentially trigger a Server-Side Request Forgery attack, which can be used to make a server send requests to an unintended location.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2426696, 2426697, 2426698, 2426699, 2426700    
Bug Blocks:    

Description OSIDB Bzimport 2026-01-01 18:01:20 UTC 
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.0, the ``write_headers`` function does not check for CR & LF characters in user supplied headers, allowing untrusted header value to escape header lines.
This vulnerability allows attackers to add extra headers, modify request body unexpectedly & trigger an SSRF attack. When combined with a server that supports http1.1 pipelining (springboot, python twisted etc), this can be used for server side request forgery (SSRF). Version 0.30.0 fixes this issue.