CVE-2026-46527

Severity CVSS v4.0:
HIGH
Type:
CWE-476 NULL Pointer Dereference
Publication date:
29/05/2026
Last modified:
01/06/2026

Description

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.44.0, When the server has called Server::set_trusted_proxies() with a non-empty trusted-proxy list, an attacker can send an HTTP request that includes an X-Forwarded-For header whose value parses to no valid IP segments. The code path then executes get_client_ip(), which calls front() on an empty std::vector—undefined behavior in C++. On typical implementations this manifests as abnormal process termination (denial of service). With Sanitizers enabled, you get an explicit runtime diagnostic. This vulnerability is fixed in 0.44.0.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:yhirose:cpp-httplib:*:*:*:*:*:*:*:* 0.44.0 (excluding)