5.3
CVE-2025-66577
- EPSS 0.24%
- Veröffentlicht 05.12.2025 18:20:25
- Zuletzt bearbeitet 11.12.2025 18:09:30
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
cpp-httplib Untrusted HTTP Header Handling: X-Forwarded-For/X-Real-IP Trust
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.27.0, a vulnerability allows attacker-controlled HTTP headers to influence server-visible metadata, logging, and authorization decisions. An attacker can supply X-Forwarded-For or X-Real-IP headers which get accepted unconditionally by get_client_ip() in docker/main.cc, causing access and error logs (nginx_access_logger / nginx_error_logger) to record spoofed client IPs (log poisoning / audit evasion). This vulnerability is fixed in 0.27.0.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Yhirose ≫ Cpp-httplib Version < 0.27.0
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.24% | 0.143 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 5.3 | 3.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
|
CWE-117 Improper Output Neutralization for Logs
The product does not neutralize or incorrectly neutralizes output that is written to logs.
CWE-807 Reliance on Untrusted Inputs in a Security Decision
The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.
https://github.com/yhirose/cpp-httplib/commit/ac9ebb0ee333ce8bf13523f487bdfad9518a2aff
https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-gfpf-r66f-5mh2