CVE-2026-46527: cpp-httplib Remote DoS via Malformed X-Forwarded-For Header
cpp-httplib versions before 0.44.0 crash when a trusted proxy configuration is enabled and an attacker sends a specially crafted X-Forwarded-For header that contains no parseable IP addresses. The crash results from the library attempting to access an empty data structure without bounds checking, causing the application to terminate abnormally. This is a denial-of-service vulnerability affecting only deployments that have explicitly configured trusted proxies.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-476
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.44.0, When the server has called Server::set_trusted_proxies() with a non-empty trusted-proxy list, an attacker can send an HTTP request that includes an X-Forwarded-For header whose value parses to no valid IP segments. The code path then executes get_client_ip(), which calls front() on an empty std::vector—undefined behavior in C++. On typical implementations this manifests as abnormal process termination (denial of service). With Sanitizers enabled, you get an explicit runtime diagnostic. This vulnerability is fixed in 0.44.0.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in cpp-httplib's proxy IP parsing logic. When Server::set_trusted_proxies() is configured with one or more trusted proxy addresses, the library processes incoming X-Forwarded-For headers through get_client_ip(). If the header value fails to parse into any valid IP segments, the resulting std::vector remains empty. The code then calls front() on this empty container, triggering undefined behavior in C++. On most systems, this manifests as a segmentation fault and process termination. Sanitizer-enabled builds explicitly detect and report the out-of-bounds access.
Business impact
Affected applications become vulnerable to remote denial-of-service attacks that require no authentication. An attacker can crash the HTTP server by sending a single malformed request, disrupting service availability. The impact is particularly severe for always-on services, APIs, and microservices that rely on cpp-httplib for HTTP handling and have trusted proxy lists configured—common in containerized and load-balanced deployments.
Affected systems
cpp-httplib versions prior to 0.44.0 are affected. The vulnerability only manifests in deployments where Server::set_trusted_proxies() has been called with a non-empty list. Applications that do not use proxy trust configuration or have upgraded to 0.44.0 or later are not vulnerable.
Exploitability
Exploitability is straightforward. The attack requires only network access and knowledge that a target is running vulnerable cpp-httplib with proxy trust enabled. No authentication, user interaction, or sophisticated payload crafting is necessary—a malformed X-Forwarded-For header suffices. The CVSS 3.1 score of 7.5 (HIGH) reflects the low attack complexity and network accessibility, moderated by the availability-only impact and configuration prerequisite.
Remediation
Upgrade cpp-httplib to version 0.44.0 or later. The fix adds proper bounds checking before accessing the IP vector, eliminating the undefined behavior. Organizations should verify that their build integrates the patched header-only library and redeploy affected applications.
Patch guidance
Since cpp-httplib is header-only, patching requires obtaining the updated header file from the official yhirose/cpp-httplib repository (verify version 0.44.0 or later) and rebuilding dependent applications. There is no binary package or runtime patch; the fix is integrated at compile time. Review your dependency management and CI/CD pipeline to ensure the new version is pulled during next builds, then redeploy.
Detection guidance
Monitor application logs and system metrics for unexpected process crashes or exit codes when the application receives HTTP requests. Network-level detection can identify X-Forwarded-For headers with malformed or empty IP values; alert on such patterns if your proxy-enabled deployment receives them. Sanitizer-enabled builds (ASAN, UBSan) will generate explicit diagnostics upon exploitation. In production, canary deployments of the patched version can validate the fix before full rollout.
Why prioritize this
This is a HIGH-severity denial-of-service vulnerability affecting availability. Prioritize patching if your organization uses cpp-httplib with trusted proxy configuration in production, especially in microservices or containerized environments where availability is critical. The low attack complexity and network accessibility increase urgency. However, applications without proxy trust enabled face no risk and can deprioritize this patch accordingly.
Risk score, explained
CVSS 3.1 score 7.5 reflects a HIGH-severity availability impact (process crash) accessible over the network with no authentication or user interaction required. The score is not higher because the attack only affects availability (not confidentiality or integrity) and requires a specific configuration prerequisite (trusted proxies enabled). Organizations relying on cpp-httplib for public-facing APIs should treat this as urgent; internal-only deployments may accept slightly longer remediation windows.
Frequently asked questions
Do we need to patch if we don't use trusted proxies?
No. The vulnerability only triggers if your application has called Server::set_trusted_proxies() with a non-empty list. If you do not use proxy trust features, the vulnerable code path is not executed, and you are not at risk from this CVE.
Is there a workaround other than upgrading?
The most reliable workaround is to disable or remove the trusted proxy configuration if it is not essential. However, this may break legitimate proxy-based deployments. The recommended approach is to upgrade to 0.44.0 or later, which eliminates the underlying issue.
Can this vulnerability compromise data or allow unauthorized access?
No. The vulnerability causes process termination only. It does not leak data, permit authentication bypass, or allow code execution. The impact is strictly denial of service.
How long has this been exploitable?
cpp-httplib versions prior to 0.44.0 are affected. The exact introduction date of the vulnerability is not specified in the advisory, but it exists in all releases before 0.44.0. Check your deployed version and patch immediately if it is older than 0.44.0.
This analysis is provided for informational purposes and reflects publicly available vulnerability data as of the publication date. Organizations should verify patch availability and applicability within their specific environment and consult the official yhirose/cpp-httplib repository and vendor advisories for the most current guidance. SEC.co makes no warranty regarding exploit availability, detection evasion, or remediation effectiveness in any particular deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-59604HIGHQualcomm Snapdragon Memory Corruption Vulnerability – HIGH Severity
- CVE-2025-59606HIGHQualcomm Chipset Memory Corruption Local Privilege Escalation
- CVE-2025-70099HIGHNULL Pointer Dereference in lwext4 Directory Parsing (Denial of Service)
- CVE-2026-37226HIGHFlexRIC iApp Denial-of-Service via Invalid E2 Node Subscription
- CVE-2026-37230HIGHFlexRIC v2.0.0 RIC_INDICATION Denial-of-Service Vulnerability
- CVE-2026-46110HIGHLinux stmmac NULL Dereference DoS Vulnerability
- CVE-2026-46114HIGHLinux Kernel RDMA RXE Remote Memory Leak via Malformed ATOMIC_WRITE
- CVE-2025-60477MEDIUMMP4Box NULL Pointer Dereference Denial of Service