The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-66570

CVE-2025-66570: Cpp-httplib Auth Bypass Vulnerability

CVE-2025-66570 is an authentication bypass flaw in Yhirose Cpp-httplib that allows attackers to inject headers and spoof IP addresses, poison logs, or bypass authorization. This article covers technical details, affected versions, impact, and mitigation.

Published: March 25, 2026

CVE-2025-66570 Overview

CVE-2025-66570 is a critical authentication bypass vulnerability in cpp-httplib, a popular C++11 single-file header-only cross-platform HTTP/HTTPS library. The vulnerability allows attackers to inject HTTP headers that shadow internal server metadata, enabling IP spoofing, log poisoning, and authorization bypass through header shadowing techniques.

Prior to version 0.27.0, the library improperly handles attacker-controlled HTTP headers named REMOTE_ADDR, REMOTE_PORT, LOCAL_ADDR, and LOCAL_PORT. These headers are parsed into the request header multimap via read_headers() in httplib.h before the server appends its own internal metadata using the same header names without erasing duplicates. Because Request::get_header_value returns the first entry for a header key, downstream code may inadvertently use attacker-controlled values instead of legitimate server-generated metadata.

Critical Impact

Attackers can bypass IP-based authorization controls, spoof client IP addresses in logs, and manipulate server-visible metadata through malicious HTTP header injection without authentication.

Affected Products

  • yhirose cpp-httplib versions prior to 0.27.0

Discovery Timeline

  • 2025-12-05 - CVE CVE-2025-66570 published to NVD
  • 2025-12-10 - Last updated in NVD database

Technical Details for CVE-2025-66570

Vulnerability Analysis

This vulnerability stems from an authentication spoofing weakness (CWE-290) in how cpp-httplib processes incoming HTTP headers. The library's header parsing mechanism in httplib.h uses headers.emplace() to store all incoming headers into a multimap data structure. Subsequently, the server's Server::process_request function appends its own internal metadata headers using the same key names without first clearing any existing entries.

The critical flaw lies in the Request::get_header_value function, which by default returns the first entry for any given header key (when id == 0). Since client-supplied headers are parsed before server-inserted headers, an attacker can shadow the legitimate server-generated values with malicious data.

This vulnerability affects multiple code paths including get_client_ip, nginx_access_logger, and nginx_error_logger functions in the docker example code, demonstrating how downstream code relying on these header values for logging, access control, or client identification can be compromised.

Root Cause

The root cause is insufficient input validation and improper handling of duplicate HTTP headers in the multimap data structure. The library fails to sanitize or reject client-supplied headers that use reserved internal metadata names, and the server appends rather than overwrites its own values, creating a header shadowing condition where attacker-controlled values take precedence.

Attack Vector

An attacker can exploit this vulnerability remotely over the network by crafting HTTP requests containing malicious headers with names matching the server's internal metadata fields. The attack requires no authentication and can be executed with low complexity.

The attack flow involves:

  1. Attacker sends an HTTP request with injected headers such as REMOTE_ADDR: 127.0.0.1 or LOCAL_ADDR: 10.0.0.1
  2. The read_headers() function parses these into the request header multimap
  3. Server subsequently appends legitimate values using the same header names
  4. Downstream code calling get_header_value() retrieves the attacker's values instead of server-generated metadata
  5. Authorization decisions, logging, and other security-sensitive operations use spoofed data
c
   Server &
   set_header_writer(std::function<ssize_t(Stream &, Headers &)> const &writer);
 
+  Server &set_trusted_proxies(const std::vector<std::string> &proxies);
+
   Server &set_keep_alive_max_count(size_t count);
   Server &set_keep_alive_timeout(time_t sec);

Source: GitHub Commit ac9ebb0e

The patch introduces a set_trusted_proxies() method that allows administrators to explicitly define trusted proxy sources, preventing unauthorized header injection from untrusted clients.

Detection Methods for CVE-2025-66570

Indicators of Compromise

  • HTTP requests containing REMOTE_ADDR, REMOTE_PORT, LOCAL_ADDR, or LOCAL_PORT headers from external sources
  • Log entries showing internal IP addresses (e.g., 127.0.0.1, 10.x.x.x, 192.168.x.x) from external network requests
  • Inconsistencies between logged client IPs and actual network traffic source addresses
  • Authorization bypass events where IP-restricted resources are accessed from unexpected addresses

Detection Strategies

  • Implement web application firewall (WAF) rules to detect and block HTTP requests containing reserved internal metadata header names
  • Deploy network intrusion detection signatures to identify header injection attempts targeting cpp-httplib servers
  • Monitor application logs for IP address anomalies where logged source IPs don't match network layer information
  • Enable detailed HTTP header logging at reverse proxy or load balancer level to identify suspicious header patterns

Monitoring Recommendations

  • Configure SIEM alerts for authentication events originating from localhost or internal IP ranges that should only be external traffic
  • Implement log correlation between network-level connection data and application-level client IP logging to detect spoofing
  • Monitor for increased failed authorization attempts followed by successful bypasses from similar request patterns
  • Review access logs for requests containing unusual or duplicate header patterns indicating injection attempts

How to Mitigate CVE-2025-66570

Immediate Actions Required

  • Upgrade cpp-httplib to version 0.27.0 or later immediately
  • Audit application code for any usage of REMOTE_ADDR, REMOTE_PORT, LOCAL_ADDR, or LOCAL_PORT headers in security-sensitive decisions
  • Implement network-level filtering to strip suspicious headers from incoming requests before they reach the application
  • Review access logs for signs of prior exploitation attempts

Patch Information

The vulnerability has been fixed in cpp-httplib version 0.27.0. The patch introduces a set_trusted_proxies() function that allows explicit configuration of trusted proxy sources, ensuring that internal metadata headers are only accepted from authorized sources. Users should update to this version or apply the security commit referenced in the GitHub Security Advisory GHSA-xm2j-vfr9-mg9m.

Workarounds

  • Deploy a reverse proxy or WAF in front of cpp-httplib applications to filter out requests containing REMOTE_ADDR, REMOTE_PORT, LOCAL_ADDR, or LOCAL_PORT headers
  • Implement application-level header validation to reject requests with these reserved header names from untrusted sources
  • Use network segmentation to ensure that only trusted internal services can send requests to vulnerable endpoints
  • Avoid relying solely on IP-based authorization; implement additional authentication mechanisms
bash
# Example nginx configuration to strip dangerous headers
proxy_set_header REMOTE_ADDR "";
proxy_set_header REMOTE_PORT "";
proxy_set_header LOCAL_ADDR "";
proxy_set_header LOCAL_PORT "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeAuth Bypass
  • Vendor/TechCpp Httplib
  • SeverityCRITICAL
  • CVSS Score9.8
  • EPSS Probability0.04%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-290
  • Vendor Resources
  • GitHub Commit Update
  • GitHub Security Advisory GHSA-xm2j-vfr9-mg9m
  • Related CVEs
  • CVE-2026-31870: cpp-httplib DoS Vulnerability
  • CVE-2026-29076: Yhirose Cpp-httplib Buffer Overflow Flaw
  • CVE-2026-28435: Yhirose Cpp-httplib DoS Vulnerability
  • CVE-2026-22776: cpp-httplib DoS Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English