cpp-httplib Server-Side HTTP Header Percent-Decoding Bypass Enables CRLF Injection

Vulnerability Overview HTTP header value percent-decoding in server-side enables CRLF injection Vulnerability Description: When cpp-httplib's server parses incoming requests, it applies percent-decoding to each header value, with the exception of and . A validity check ( ) is executed before decoding; however, encoded sequences such as pass this check and are expanded into literal byte pairs, which are then stored in the header value. RFC 9110 Section 5.9.5 states that header field values are octets and should not be subject to percent-decoding, thereby creating several attack primitives. Details: Here, percent-decoding is applied to all fields except and . Impact Scope HTTP Response Splitting / Log Injection: Application code that reflects header values (e.g., ) or logs framework outputs will emit literal CRLF sequences on the wire. This allows an attacker to inject additional response headers (such as , cache directives, redirects, etc.), terminate the original response, and forge the body content. HTTP Request Smuggling via Bundled Client Requests: When using as a forwarding proxy, where the application copies received headers into the proxy request (a common pattern), the function (the focus of CVE-2026-21428) writes the decoded values directly into the proxy request containing embedded CRLFs. This expands the impact of CVE-2026-21428, shifting the source of attacker-controlled values from "user-provided values" to "any header value parsed by the server side," significantly enlarging the attack surface. Cookie / X-Forwarded-For Boundary Confusion: Web Application Firewalls (WAFs) and reverse proxies check the wire-form representation (where and are treated as non-special characters). However, cpp-httplib applications check the decoded form. Sending a cookie value results in a single cookie ( ) at the WAF level, but is interpreted as two cookies ( ; ) by the application. The same logic applies to chains. Microsoft IIS-style Decoding: The decoder also handles → and → . This behavior is non-standard (RFC 3986 does not define ) and amplifies attacks by allowing payloads to bypass URL-decoding-aware WAFs. The decoded form is seen by every downstream consumer within the application—middleware, routers, business logic, logs, and bundled HTTP clients. Since the decoded values are never re-validated, attackers can inject arbitrary bytes ( , , , , etc.) into header values, bypassing strict syntax checks performed on the wire form. Remediation Recommended Fixes: Treat header values as opaque octets. 1. Remove percent-decoding from (Recommended). Maintain consistency for / by never decoding any header values. URI component values that the application intends to interpret as URLs should be explicitly decoded by the application using the existing API. 2. If backward compatibility requires preserving current behavior, re-run the check (or ideally, ) on the decoded result, so that , , , etc., are rejected after decoding. POC Code Server Program Client Program Additional Information CVE ID: CVE-2026-4572 Weaknesses: CWE-89, CWE-444 Credits: jismz (Reporter) Severity: High Affected versions: <0.43.4 Patched versions: 0.44.0

Goal Reached Thanks to every supporter — we hit 100%!

cpp-httplib Server-Side HTTP Header Percent-Decoding Bypass Enables CRLF Injection

More from this source