CVE-2026-21428 Overview
CVE-2026-21428 is a HTTP Header Injection vulnerability affecting cpp-httplib, a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.0, the write_headers function does not check for CR (Carriage Return) and LF (Line Feed) characters in user-supplied headers, allowing untrusted header values to escape header lines.
This vulnerability enables attackers to inject additional HTTP headers, manipulate request bodies unexpectedly, and execute Server-Side Request Forgery (SSRF) attacks. When exploited against servers supporting HTTP/1.1 pipelining (such as Spring Boot or Python Twisted), the impact is particularly severe as attackers can forge requests on behalf of the server.
Critical Impact
Attackers can inject arbitrary HTTP headers and manipulate request bodies, enabling SSRF attacks against backend systems when combined with HTTP/1.1 pipelining-capable servers.
Affected Products
- yhirose cpp-httplib versions prior to 0.30.0
Discovery Timeline
- 2026-01-01 - CVE CVE-2026-21428 published to NVD
- 2026-01-06 - Last updated in NVD database
Technical Details for CVE-2026-21428
Vulnerability Analysis
The vulnerability exists in the write_headers function within cpp-httplib's header processing logic. This function is responsible for writing HTTP headers to the output stream but fails to validate header content for CRLF (Carriage Return Line Feed) character sequences.
HTTP headers use CRLF sequences (\r\n) as delimiters between header lines. When user-controlled input containing these characters is passed to header values without proper sanitization, attackers can terminate the current header prematurely and inject additional headers or even modify the request body. This is classified as CWE-93 (Improper Neutralization of CRLF Sequences in HTTP Headers).
The attack surface is network-accessible and requires no authentication or user interaction, making it exploitable remotely by any attacker who can influence header values processed by applications using vulnerable versions of cpp-httplib.
Root Cause
The root cause is the absence of input validation for CRLF characters in the write_headers function. The library trusted that header values would not contain line termination characters, allowing malicious input to break out of the intended header structure.
Attack Vector
An attacker can exploit this vulnerability by providing header values containing CRLF sequences. When these values are processed by write_headers, the injected characters cause:
- Header Injection: New headers can be inserted by including \r\n followed by the new header name and value
- Body Manipulation: Double CRLF (\r\n\r\n) terminates headers entirely, allowing attackers to inject arbitrary request body content
- SSRF via Pipelining: On servers supporting HTTP/1.1 pipelining, attackers can inject complete additional HTTP requests, enabling server-side request forgery
The security patch introduced in version 0.30.0 adds proper validation through a new check_and_write_headers function:
return prepare_host_string(host) + ":" + std::to_string(port);
}
+template <typename T>
+inline bool check_and_write_headers(Stream &strm, Headers &headers,
+ T header_writer, Error &error) {
+ for (const auto &h : headers) {
+ if (!detail::fields::is_field_name(h.first) ||
+ !detail::fields::is_field_value(h.second)) {
+ error = Error::InvalidHeaders;
+ return false;
+ }
+ }
+ if (header_writer(strm, headers) <= 0) {
+ error = Error::Write;
+ return false;
+ }
+ return true;
+}
+
} // namespace detail
// HTTP server implementation
Source: GitHub Commit 98048a0
Detection Methods for CVE-2026-21428
Indicators of Compromise
- HTTP requests containing unexpected CRLF sequences (\r\n) in header values
- Unusual HTTP headers appearing in server logs that were not set by the application
- Backend systems receiving requests that appear to originate from trusted internal services (SSRF indicators)
- Unexpected HTTP pipelining behavior or malformed request sequences in network traffic
Detection Strategies
- Monitor application logs for Error::InvalidHeaders errors after upgrading to version 0.30.0
- Implement network-level inspection for HTTP requests containing CRLF sequences in header values
- Review web application firewall logs for header injection attempt patterns
- Audit applications using cpp-httplib for user-controlled header value sources
Monitoring Recommendations
- Enable verbose logging for HTTP request processing in applications using cpp-httplib
- Deploy intrusion detection rules targeting CRLF injection patterns in HTTP headers
- Monitor for anomalous SSRF-like behavior such as unexpected outbound connections from application servers
- Track cpp-httplib library version across your software inventory to identify vulnerable deployments
How to Mitigate CVE-2026-21428
Immediate Actions Required
- Upgrade cpp-httplib to version 0.30.0 or later immediately
- Audit all code paths where user input can influence HTTP header values
- Implement input validation at the application layer as defense-in-depth
- Review applications for potential SSRF impact if exploitation may have occurred
Patch Information
The vulnerability is fixed in cpp-httplib version 0.30.0. The patch introduces a new check_and_write_headers template function that validates both header field names and values using detail::fields::is_field_name and detail::fields::is_field_value functions before writing headers to the stream. Invalid headers now result in an Error::InvalidHeaders error code.
For more information, see the GitHub Security Advisory GHSA-wpc6-j37r-jcx7 and the v0.30.0 Release Notes.
Workarounds
- Sanitize all user input before setting HTTP header values by stripping or rejecting CR (\r) and LF (\n) characters
- Implement allowlist validation for header values to permit only expected characters
- Use a web application firewall to filter requests containing CRLF sequences in header contexts
- If immediate upgrade is not possible, apply the patch commit manually by implementing header validation logic
# Update cpp-httplib to patched version
# If using as a single-header library, download the latest release:
curl -L -o httplib.h https://github.com/yhirose/cpp-httplib/releases/download/v0.30.0/httplib.h
# Verify the download
sha256sum httplib.h
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
