CVE-2023-26130

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-26130
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-26130.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-26130
Downstream
Published
2023-05-30T05:15:10Z
Modified
2025-10-16T05:44:57.139915Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Versions of the package yhirose/cpp-httplib before 0.12.4 are vulnerable to CRLF Injection when untrusted user input is used to set the content-type header in the HTTP .Patch, .Post, .Put and .Delete requests. This can lead to logical errors and other misbehaviors.

Note: This issue is present due to an incomplete fix for CVE-2020-11709.

References

Affected packages

Git / github.com/yhirose/cpp-httplib

Affected ranges

Type
GIT
Repo
https://github.com/yhirose/cpp-httplib
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
3409c00e6f5402eb4e300b45e44e11c3bdfe1a5c
Fixed
5b397d455d25a391ba346863830c1949627b4d08

Affected versions

v0.*

v0.10.0
v0.10.1
v0.10.2
v0.10.3
v0.10.4
v0.10.5
v0.10.6
v0.10.7
v0.10.8
v0.10.9
v0.11.0
v0.11.1
v0.11.2
v0.11.3
v0.11.4
v0.12.0
v0.12.1
v0.12.2
v0.12.3
v0.2.0
v0.2.1
v0.2.2
v0.2.3
v0.2.4
v0.2.5
v0.2.6
v0.3.0
v0.3.1
v0.3.2
v0.3.3
v0.4.0
v0.4.1
v0.4.2
v0.5.0
v0.5.1
v0.5.10
v0.5.11
v0.5.12
v0.5.13
v0.5.2
v0.5.3
v0.5.4
v0.5.5
v0.5.6
v0.5.7
v0.5.8
v0.5.9
v0.6.0
v0.6.1
v0.6.2
v0.6.3
v0.6.4
v0.6.5
v0.6.6
v0.6.7
v0.7.0
v0.7.1
v0.7.10
v0.7.11
v0.7.12
v0.7.13
v0.7.14
v0.7.15
v0.7.16
v0.7.17
v0.7.18
v0.7.2
v0.7.3
v0.7.4
v0.7.5
v0.7.6
v0.7.7
v0.7.8
v0.7.9
v0.8.0
v0.8.1
v0.8.2
v0.8.3
v0.8.4
v0.8.5
v0.8.6
v0.8.7
v0.8.8
v0.8.9
v0.9.0
v0.9.1
v0.9.10
v0.9.2
v0.9.3
v0.9.4
v0.9.5
v0.9.6
v0.9.7
v0.9.8
v0.9.9

Database specific 

{
    "vanir_signatures": [
        {
            "deprecated": false,
            "signature_type": "Function",
            "target": {
                "file": "httplib.h",
                "function": "ClientImpl::Delete"
            },
            "signature_version": "v1",
            "digest": {
                "length": 388.0,
                "function_hash": "109966815411537648843441367288065635615"
            },
            "id": "CVE-2023-26130-21a54e0e",
            "source": "https://github.com/yhirose/cpp-httplib/commit/5b397d455d25a391ba346863830c1949627b4d08"
        },
        {
            "deprecated": false,
            "signature_type": "Line",
            "target": {
                "file": "httplib.h"
            },
            "signature_version": "v1",
            "digest": {
                "line_hashes": [
                    "240546714197613901225135025049891811065",
                    "281359695489656118217132824194790029215",
                    "141100706139141240794297513523566178801",
                    "257401186085714088225665496030940799809",
                    "266999212831628499894199473091797931521",
                    "163654709277731614310927002998848432150",
                    "138312761278507162117124159758709388533",
                    "197040501012530565556432899207205425793",
                    "29329557185643061112666599917590939238",
                    "123679281143948633142886664436880169165",
                    "179715767415284408119662037796951390396",
                    "283784769374285954881203373702188392958",
                    "78471242690701597060233742629271288067",
                    "45395349523080967503783899388300985935",
                    "285481731896186353164427159891493729098",
                    "15261480622365642915922624777555123122",
                    "317884962674836639459205031953176461810",
                    "78574124308579225908216185220484120442",
                    "46409177969390960568963050040063899099",
                    "52884957163233979602012252395591696460",
                    "285481731896186353164427159891493729098",
                    "271099896641126076271776673180798028955",
                    "115872061558010987378685809038212008954",
                    "150198206661006590483052285621191375728",
                    "21529886343834565313946105240007723944",
                    "219267433703435206992458911625660185981",
                    "3454078906943529537447873089224406093",
                    "288941712464102977342458696139318188799",
                    "11888752636155088128626065104478292533",
                    "237249969474923397336760526460916940034",
                    "227547934201798176635432229967662482688",
                    "213243363127129726434326592048833929868",
                    "91189192624312571944757797775534181967",
                    "172447349208613058279433624793130932826",
                    "42438591447104761819934714216334386611",
                    "43279272667674496761922329937210371459",
                    "221669613972245109214552444118965822381",
                    "25890372836897616021426605350896927090",
                    "177574495626415831368121237409677952913",
                    "184925319423389393108605958123662057471",
                    "96222184525236419324041050727118803557",
                    "121506686343056279693430464009499086375",
                    "127897810752844729842945555070185252039",
                    "54633851183723119887633517753716631339",
                    "45233661693126392736257131538917603400",
                    "55076981720850698294869832745966593006",
                    "238035926488125565795593247124337555776",
                    "222694781720044657380809501298380728038",
                    "330953320509980749280880818237538181671",
                    "167816967215818660901504119140161071729",
                    "313584731172998566835312374989849191102",
                    "330680623702791368517268477698187304972",
                    "296661034061856705527257743306531599773",
                    "214528328745644867655484970798040870610",
                    "120323759457526214953900833992134261809",
                    "20335766596953278218923253364844819852",
                    "254488437181657543852414088198486925357",
                    "269654571826332691562144158897977692042",
                    "135922896872913724793782750198790557885",
                    "204421843348507423913044288399188300037",
                    "295609526960319962045791207174566740684",
                    "252369901289634197586559092854798265610",
                    "126255844900217836334875914602009101316",
                    "253911798821508263074308600285066891513",
                    "71515147741562374363259029459669429528",
                    "293234123562824940366329355731346828749",
                    "121827682667085125605843738654712038305",
                    "94036945436949995505551363689596938965"
                ],
                "threshold": 0.9
            },
            "id": "CVE-2023-26130-78fa3e6c",
            "source": "https://github.com/yhirose/cpp-httplib/commit/5b397d455d25a391ba346863830c1949627b4d08"
        },
        {
            "deprecated": false,
            "signature_type": "Function",
            "target": {
                "file": "httplib.h",
                "function": "ClientImpl::send_with_content_provider"
            },
            "signature_version": "v1",
            "digest": {
                "length": 1892.0,
                "function_hash": "289528182960760020231947278313234685575"
            },
            "id": "CVE-2023-26130-ccaed971",
            "source": "https://github.com/yhirose/cpp-httplib/commit/5b397d455d25a391ba346863830c1949627b4d08"
        },
        {
            "deprecated": false,
            "signature_type": "Function",
            "target": {
                "file": "httplib.h",
                "function": "Server::apply_ranges"
            },
            "signature_version": "v1",
            "digest": {
                "length": 3147.0,
                "function_hash": "1746522660174197105611120685402022537"
            },
            "id": "CVE-2023-26130-e98a4f4d",
            "source": "https://github.com/yhirose/cpp-httplib/commit/5b397d455d25a391ba346863830c1949627b4d08"
        },
        {
            "deprecated": false,
            "signature_type": "Function",
            "target": {
                "file": "httplib.h",
                "function": "ClientImpl::write_request"
            },
            "signature_version": "v1",
            "digest": {
                "length": 3122.0,
                "function_hash": "134017682451038564924117699348251447690"
            },
            "id": "CVE-2023-26130-f98e13b5",
            "source": "https://github.com/yhirose/cpp-httplib/commit/5b397d455d25a391ba346863830c1949627b4d08"
        }
    ]
}