CVE-2023-26130

Name of the Vulnerable Software and Affected Versions yhirose/cpp-httplib versions prior to 0.12.4

Description The issue is related to the incomplete fix for a previous problem, which allows an attacker to inject arbitrary HTTP headers when untrusted user input is used to set the content-type header in HTTP requests, such as .Patch, .Post, .Put, and .Delete. This can lead to logical errors and other misbehaviors. The vulnerability is due to the lack of measures to neutralize CRLF sequences.

Recommendations For versions prior to 0.12.4, update to version 0.12.4 or later to resolve the issue. As a temporary workaround, consider validating and sanitizing user input for the content-type header to prevent CRLF injection. Restrict access to the HTTP .Patch, .Post, .Put, and .Delete requests until the issue is resolved.