2419506 – (CVE-2025-66577) CVE-2025-66577 cpp-httplib: cpp-httplib Untrusted HTTP Header Handling: X-Forwarded-For/X-Real-IP Trust

Bug 2419506 (CVE-2025-66577) - CVE-2025-66577 cpp-httplib: cpp-httplib Untrusted HTTP Header Handling: X-Forwarded-For/X-Real-IP Trust

Summary: CVE-2025-66577 cpp-httplib: cpp-httplib Untrusted HTTP Header Handling: X-For...

Keywords:
Status:	NEW
Alias:	CVE-2025-66577
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2419628 2419629 2419630 2419631 2419632
Blocks:
TreeView+	depends on / blocked

Reported:	2025-12-05 19:01 UTC by OSIDB Bzimport
Modified:	2025-12-05 23:21 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-12-05 19:01:45 UTC

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.27.0, a vulnerability allows attacker-controlled HTTP headers to influence server-visible metadata, logging, and authorization decisions. An attacker can supply X-Forwarded-For or X-Real-IP headers which get accepted unconditionally by get_client_ip() in docker/main.cc, causing access and error logs (nginx_access_logger / nginx_error_logger) to record spoofed client IPs (log poisoning / audit evasion). This vulnerability is fixed in 0.27.0.

Note You need to log in before you can comment on or make changes to this bug.