CVE-2026-33745 Overview
CVE-2026-33745 affects cpp-httplib, a C++11 single-file header-only HTTP/HTTPS library widely embedded in C++ applications. The HTTP client forwards stored Authorization headers, including Basic Auth, Bearer Tokens, and Digest Auth credentials, to arbitrary hosts when following cross-origin redirects. A malicious or compromised origin server can issue a 301, 302, 307, or 308 redirect pointing to an attacker-controlled host. The client then transmits plaintext credentials in the Authorization header to that host. The maintainer released version 0.39.0 to address the issue [CWE-200].
Critical Impact
Attackers controlling or compromising a server reachable by a cpp-httplib client can harvest plaintext Basic, Bearer, and Digest credentials by redirecting requests to attacker-controlled hosts.
Affected Products
- yhirose cpp-httplib versions prior to 0.39.0
- C++ applications statically embedding vulnerable httplib.h headers
- Services using cpp-httplib as an HTTP client with stored authentication credentials
Discovery Timeline
- 2026-03-27 - CVE-2026-33745 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2026-33745
Vulnerability Analysis
The vulnerability resides in the redirect-following logic of the cpp-httplib HTTP client. When the client receives a 301, 302, 307, or 308 status code, it issues a follow-up request to the Location header target. The client retains and resends previously configured authentication headers without verifying whether the redirect target shares the original request's origin.
Basic Auth credentials are base64-encoded but not encrypted. Bearer Tokens grant API access and frequently authorize long-lived sessions. Digest Auth responses include hashed credentials usable in offline cracking or replay against the same realm. Forwarding any of these to a third-party host constitutes sensitive information exposure [CWE-200].
Exploitation requires either a malicious upstream server or an attacker who can compromise or man-in-the-middle a legitimate endpoint. The attack complexity is elevated because the attacker must control a redirect response, but no user interaction or authentication is required on the attacker side to receive the leaked secrets.
Root Cause
The client lacks origin-checking before reattaching the Authorization header to redirected requests. Conformant HTTP clients strip credentials when the redirect target's scheme, host, or port differs from the original request. cpp-httplib unconditionally propagates the header, violating same-origin credential handling expectations.
Attack Vector
An attacker hosts or compromises an endpoint that a cpp-httplib client contacts with credentials. When the client issues an authenticated request, the attacker responds with HTTP/1.1 302 Found and a Location header pointing to https://attacker.example/collect. The client follows the redirect and reattaches the original Authorization header. The attacker logs the credentials from the inbound request.
The vulnerability mechanism is described in the GitHub Security Advisory GHSA-6hrp-7fq9-3qv2. No public proof-of-concept exploit code is currently available.
Detection Methods for CVE-2026-33745
Indicators of Compromise
- Outbound HTTPS or HTTP requests from application hosts to unexpected external domains containing Authorization headers
- Application logs showing redirect chains where the final host differs from the configured API endpoint
- Unexpected 301, 302, 307, or 308 responses from upstream services that previously returned 200
Detection Strategies
- Inventory C++ binaries and source trees for embedded httplib.h and identify versions prior to 0.39.0 using build manifests or SBOM tooling
- Inspect network proxy logs for cross-origin redirect chains originating from services known to use cpp-httplib
- Monitor authentication backends for token usage from unexpected source IP addresses, which can indicate credential replay after leakage
Monitoring Recommendations
- Enable TLS-inspecting egress proxies to capture Authorization headers sent to unsanctioned destinations
- Rotate Bearer Tokens and API keys used by services that integrate cpp-httplib pending verification of patched versions
- Alert on HTTP redirect responses from internal APIs that should never issue redirects
How to Mitigate CVE-2026-33745
Immediate Actions Required
- Upgrade all instances of cpp-httplib to version 0.39.0 or later and rebuild dependent applications
- Rotate any Basic Auth passwords, Bearer Tokens, and Digest credentials that have been used by clients running vulnerable versions
- Audit upstream HTTP endpoints contacted by cpp-httplib clients for unexpected redirect behavior
Patch Information
The maintainer released cpp-httplib 0.39.0, which fixes the credential-forwarding behavior. Consult the GitHub Security Advisory GHSA-6hrp-7fq9-3qv2 for the official fix details and commit references. Because cpp-httplib is header-only, all dependent binaries must be recompiled against the patched header.
Workarounds
- Disable automatic redirect following in client code by setting the follow-location option to false and handling redirects manually with origin validation
- Restrict outbound network egress from application servers to an allowlist of expected API hostnames
- Use short-lived Bearer Tokens scoped to single hosts to reduce the value of any leaked credential
# Configuration example: pin cpp-httplib to the patched version
# vcpkg
vcpkg install cpp-httplib --version 0.39.0
# Conan
conan install cpp-httplib/0.39.0@
# CMake FetchContent
FetchContent_Declare(
cpp-httplib
GIT_REPOSITORY https://github.com/yhirose/cpp-httplib.git
GIT_TAG v0.39.0
)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
