2426666 – (CVE-2026-21428) CVE-2026-21428 cpp-httplib: cpp-httplib: Server-Side Request Forgery via header injection

Bug 2426666 (CVE-2026-21428) - CVE-2026-21428 cpp-httplib: cpp-httplib: Server-Side Request Forgery via header injection

Summary: CVE-2026-21428 cpp-httplib: cpp-httplib: Server-Side Request Forgery via head...

Keywords:
Status:	NEW
Alias:	CVE-2026-21428
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2426696 2426697 2426698 2426699 2426700
Blocks:
TreeView+	depends on / blocked

Reported:	2026-01-01 18:01 UTC by OSIDB Bzimport
Modified:	2026-01-01 21:24 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-01-01 18:01:20 UTC

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.0, the ``write_headers`` function does not check for CR & LF characters in user supplied headers, allowing untrusted header value to escape header lines.
This vulnerability allows attackers to add extra headers, modify request body unexpectedly & trigger an SSRF attack. When combined with a server that supports http1.1 pipelining (springboot, python twisted etc), this can be used for server side request forgery (SSRF). Version 0.30.0 fixes this issue.

Note You need to log in before you can comment on or make changes to this bug.