Source: cpp-httplib Version: 0.18.7-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for cpp-httplib. CVE-2026-33745[0]: | cpp-httplib is a C++11 single-file header-only cross platform | HTTP/HTTPS library. Prior to 0.39.0, the cpp-httplib HTTP client | forwards stored Basic Auth, Bearer Token, and Digest Auth | credentials to arbitrary hosts when following cross-origin HTTP | redirects (301/302/307/308). A malicious or compromised server can | redirect the client to an attacker-controlled host, which then | receives the plaintext credentials in the `Authorization` header. | Version 0.39.0 fixes the issue. Note, we have a relatively old version already in unstable, and I'm not 100% sure we are have proper assessment in the security-tracker, please double-check but I assume you will soon move to something newer and latest for forky? If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-33745 https://www.cve.org/CVERecord?id=CVE-2026-33745 [1] https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-6hrp-7fq9-3qv2 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
