CVE-2025-66577

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions cpp-httplib versions prior to 0.27.0

Description The software is a C++11 single-file header-only cross-platform HTTP/HTTPS library. A flaw exists where attacker-controlled HTTP headers can affect server-visible metadata, logging, and authorization decisions. Specifically, the get client ip() function in docker/main.cc unconditionally accepts X-Forwarded-For or X-Real-IP headers. This allows an attacker to spoof client IPs in access and error logs (log poisoning / audit evasion). The vulnerable function is get client ip().

Recommendations Update to version 0.27.0 or later.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-807CWE-117

Related Identifiers

CVE-2025-66577

ECHO-EE91-3948-5C74

GHSA-GFPF-R66F-5MH2

OPENSUSE-SU-2025:15844-1

OPENSUSE-SU-2026:20056-1

SUSE-SU-2026:20090-1

Affected Products

Debian

Cpp-Httplib

CVE-2025-66577

Weakness Enumeration

Related Identifiers

Affected Products

References · 22