Source: cpp-httplib Version: 0.18.7-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for cpp-httplib. CVE-2025-66570[0]: | cpp-httplib is a C++11 single-file header-only cross platform | HTTP/HTTPS library. Prior to 0.27.0, a vulnerability allows | attacker-controlled HTTP headers to influence server-visible | metadata, logging, and authorization decisions. An attacker can | inject headers named REMOTE_ADDR, REMOTE_PORT, LOCAL_ADDR, | LOCAL_PORT that are parsed into the request header multimap via | read_headers() in httplib.h (headers.emplace), then the server later | appends its own internal metadata using the same header names in | Server::process_request without erasing duplicates. Because | Request::get_header_value returns the first entry for a header key | (id == 0) and the client-supplied headers are parsed before server- | inserted headers, downstream code that uses these header names may | inadvertently use attacker-controlled values. Affected | files/locations: cpp-httplib/httplib.h (read_headers, | Server::process_request, Request::get_header_value, | get_header_value_u64) and cpp-httplib/docker/main.cc (get_client_ip, | nginx_access_logger, nginx_error_logger). Attack surface: attacker- | controlled HTTP headers in incoming requests flow into the | Request.headers multimap and into logging code that reads forwarded | headers, enabling IP spoofing, log poisoning, and authorization | bypass via header shadowing. This vulnerability is fixed in 0.27.0. CVE-2025-66577[1]: | cpp-httplib is a C++11 single-file header-only cross platform | HTTP/HTTPS library. Prior to 0.27.0, a vulnerability allows | attacker-controlled HTTP headers to influence server-visible | metadata, logging, and authorization decisions. An attacker can | supply X-Forwarded-For or X-Real-IP headers which get accepted | unconditionally by get_client_ip() in docker/main.cc, causing access | and error logs (nginx_access_logger / nginx_error_logger) to record | spoofed client IPs (log poisoning / audit evasion). This | vulnerability is fixed in 0.27.0. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-66570 https://www.cve.org/CVERecord?id=CVE-2025-66570 [1] https://security-tracker.debian.org/tracker/CVE-2025-66577 https://www.cve.org/CVERecord?id=CVE-2025-66577 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
