CVE-2025-66570

Name of the Vulnerable Software and Affected Versions cpp-httplib versions prior to 0.27.0

Description The cpp-httplib library has a flaw where attacker-controlled HTTP headers can influence server metadata, logging, and authorization decisions. An attacker can inject headers such as REMOTE ADDR, REMOTE PORT, LOCAL ADDR, and LOCAL PORT. These headers are parsed into the request header multimap via the read headers() function in httplib.h (specifically, headers.emplace). The server then appends its own internal metadata using the same header names in Server::process request without removing duplicates. Because Request::get header value returns the first entry for a header key, client-supplied headers take precedence. This can lead to IP spoofing, log poisoning, and authorization bypass through header shadowing. The affected files and locations include cpp-httplib/httplib.h (read headers, Server::process request, Request::get header value, get header value u64) and cpp-httplib/docker/main.cc (get client ip, nginx access logger, nginx error logger). The attack surface involves attacker-controlled HTTP headers flowing into the Request.headers multimap and into logging code that reads forwarded headers.

Recommendations Update cpp-httplib to version 0.27.0 or later.