2444614 – (CVE-2026-28434) CVE-2026-28434 cpp-httplib: default exception handler leaks e.what() to clients via EXCEPTION_WHAT response header

Bug 2444614 (CVE-2026-28434) - CVE-2026-28434 cpp-httplib: default exception handler leaks e.what() to clients via EXCEPTION_WHAT response header

Summary: CVE-2026-28434 cpp-httplib: default exception handler leaks e.what() to clien...

Keywords:
Status:	NEW
Alias:	CVE-2026-28434
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2444635 2444636
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-04 20:01 UTC by OSIDB Bzimport
Modified:	2026-03-04 20:22 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-03-04 20:01:29 UTC

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.35.0, when a request handler throws a C++ exception and the application has not registered a custom exception handler via set_exception_handler(), the library catches the exception and writes its message directly into the HTTP response as a header named EXCEPTION_WHAT. This header is sent to whoever made the request, with no authentication check and no special configuration required to trigger it. The behavior is on by default. A developer who does not know to opt in to set_exception_handler() will ship a server that leaks internal exception messages to any client. This vulnerability is fixed in 0.35.0.

Note You need to log in before you can comment on or make changes to this bug.