2447488 – (CVE-2026-32627) CVE-2026-32627 cpp-httplib: silent TLS certificate verification bypass on HTTPS Redirect via proxy

Bug 2447488 (CVE-2026-32627) - CVE-2026-32627 cpp-httplib: silent TLS certificate verification bypass on HTTPS Redirect via proxy

Summary: CVE-2026-32627 cpp-httplib: silent TLS certificate verification bypass on HTT...

Keywords:
Status:	NEW
Alias:	CVE-2026-32627
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2448104 2448105
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-13 21:02 UTC by OSIDB Bzimport
Modified:	2026-03-20 20:39 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-03-13 21:02:04 UTC

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.37.2, when a cpp-httplib client is configured with a proxy and set_follow_location(true), any HTTPS redirect it follows will have TLS certificate and hostname verification silently disabled on the new connection. The client will accept any certificate presented by the redirect target — expired, self-signed, or forged — without raising an error or notifying the application. A network attacker in a position to return a redirect response can fully intercept the follow-up HTTPS connection, including any credentials or session tokens in flight. This vulnerability is fixed in 0.37.2.

Note You need to log in before you can comment on or make changes to this bug.