Source: cpp-httplib Version: 0.18.7-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for cpp-httplib. CVE-2026-21428[0]: | cpp-httplib is a C++11 single-file header-only cross platform | HTTP/HTTPS library. Prior to version 0.30.0, the ``write_headers`` | function does not check for CR & LF characters in user supplied | headers, allowing untrusted header value to escape header lines. | This vulnerability allows attackers to add extra headers, modify | request body unexpectedly & trigger an SSRF attack. When combined | with a server that supports http1.1 pipelining (springboot, python | twisted etc), this can be used for server side request forgery | (SSRF). Version 0.30.0 fixes this issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-21428 https://www.cve.org/CVERecord?id=CVE-2026-21428 [1] https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-wpc6-j37r-jcx7 [2] https://github.com/yhirose/cpp-httplib/commit/98048a033a532ff22320ce1d11789f8d5710dfcd Please adjust the affected versions in the BTS as needed. Regards, Salvatore
