CVE-2025-66570

Source
https://cve.org/CVERecord?id=CVE-2025-66570
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66570.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-66570
Aliases
  • GHSA-xm2j-vfr9-mg9m
Downstream
Related
Published
2025-12-05T18:18:02.928Z
Modified
2026-07-15T23:39:34.984921Z
Severity
  • 10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N CVSS Calculator
Summary
cpp-httplib Untrusted HTTP Header Handling: Internal Header Shadowing (REMOTE*/LOCAL*)
Details

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.27.0, a vulnerability allows attacker-controlled HTTP headers to influence server-visible metadata, logging, and authorization decisions. An attacker can inject headers named REMOTEADDR, REMOTEPORT, LOCALADDR, LOCALPORT that are parsed into the request header multimap via readheaders() in httplib.h (headers.emplace), then the server later appends its own internal metadata using the same header names in Server::processrequest without erasing duplicates. Because Request::getheadervalue returns the first entry for a header key (id == 0) and the client-supplied headers are parsed before server-inserted headers, downstream code that uses these header names may inadvertently use attacker-controlled values. Affected files/locations: cpp-httplib/httplib.h (readheaders, Server::processrequest, Request::getheadervalue, getheadervalueu64) and cpp-httplib/docker/main.cc (getclientip, nginxaccesslogger, nginxerror_logger). Attack surface: attacker-controlled HTTP headers in incoming requests flow into the Request.headers multimap and into logging code that reads forwarded headers, enabling IP spoofing, log poisoning, and authorization bypass via header shadowing. This vulnerability is fixed in 0.27.0.

Database specific
{
    "cwe_ids": [
        "CWE-290",
        "CWE-345",
        "CWE-807"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/66xxx/CVE-2025-66570.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/yhirose/cpp-httplib

Affected ranges

Type
GIT
Repo
https://github.com/yhirose/cpp-httplib
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:yhirose:cpp-httplib:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.27.0"
        }
    ],
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ]
}

Affected versions

v0.*
v0.10.0
v0.10.1
v0.10.2
v0.10.3
v0.10.4
v0.10.5
v0.10.6
v0.10.7
v0.10.8
v0.10.9
v0.11.0
v0.11.1
v0.11.2
v0.11.3
v0.11.4
v0.12.0
v0.12.1
v0.12.2
v0.12.3
v0.12.4
v0.12.5
v0.12.6
v0.13.0
v0.13.1
v0.13.2
v0.13.3
v0.14.0
v0.14.1
v0.14.2
v0.14.3
v0.15.0
v0.15.1
v0.15.2
v0.15.3
v0.16.0
v0.16.1
v0.16.2
v0.16.3
v0.17.0
v0.17.1
v0.17.2
v0.17.3
v0.18.0
v0.18.1
v0.18.2
v0.18.3
v0.18.4
v0.18.5
v0.18.6
v0.18.7
v0.19.0
v0.2.0
v0.2.1
v0.2.2
v0.2.3
v0.2.4
v0.2.5
v0.2.6
v0.20.0
v0.20.1
v0.21.0
v0.22.0
v0.23.0
v0.23.1
v0.24.0
v0.25.0
v0.26.0
v0.3.0
v0.3.1
v0.3.2
v0.3.3
v0.4.0
v0.4.1
v0.4.2
v0.5.0
v0.5.1
v0.5.10
v0.5.11
v0.5.12
v0.5.13
v0.5.2
v0.5.3
v0.5.4
v0.5.5
v0.5.6
v0.5.7
v0.5.8
v0.5.9
v0.6.0
v0.6.1
v0.6.2
v0.6.3
v0.6.4
v0.6.5
v0.6.6
v0.6.7
v0.7.0
v0.7.1
v0.7.10
v0.7.11
v0.7.12
v0.7.13
v0.7.14
v0.7.15
v0.7.16
v0.7.17
v0.7.18
v0.7.2
v0.7.3
v0.7.4
v0.7.5
v0.7.6
v0.7.7
v0.7.8
v0.7.9
v0.8.0
v0.8.1
v0.8.2
v0.8.3
v0.8.4
v0.8.5
v0.8.6
v0.8.7
v0.8.8
v0.8.9
v0.9.0
v0.9.1
v0.9.10
v0.9.2
v0.9.3
v0.9.4
v0.9.5
v0.9.6
v0.9.7
v0.9.8
v0.9.9

Database specific

vanir_signatures
[
    {
        "source": "https://github.com/yhirose/cpp-httplib/commit/ac9ebb0ee333ce8bf13523f487bdfad9518a2aff",
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "211639915249495605556406247598553603758",
            "length": 122.0
        },
        "deprecated": false,
        "id": "CVE-2025-66570-032e3a59",
        "target": {
            "function": "has_header",
            "file": "httplib.h"
        }
    },
    {
        "source": "https://github.com/yhirose/cpp-httplib/commit/ac9ebb0ee333ce8bf13523f487bdfad9518a2aff",
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "59824275924222643092104203298436878897",
            "length": 1074.0
        },
        "deprecated": false,
        "id": "CVE-2025-66570-06e554aa",
        "target": {
            "function": "print_usage",
            "file": "docker/main.cc"
        }
    },
    {
        "source": "https://github.com/yhirose/cpp-httplib/commit/ac9ebb0ee333ce8bf13523f487bdfad9518a2aff",
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "95818203396872946126233068898941044204",
                "265737799393927286488464023681319695675",
                "89338378455097449718371468556714976081",
                "198672229088665218672633139369165265897",
                "213064976865925059498785946467751728052",
                "199200367556653636316853984367310871192",
                "48105734522893591225302925408400195994",
                "162869203827632632145200633919591381390",
                "152958649109259218022348847969854178494",
                "240663583434377107149437983569929234511",
                "108950373651180947249017511803314412797",
                "107447439366027365818687294781876050149",
                "23380772304048930506531570016104270047",
                "173740101324364649742620009613113936197",
                "66305359015420715107979951117495037834",
                "110332727694420415542977909257265321665",
                "247633960332075200345674975570251802579",
                "205131501545719659627231333940264783975",
                "100203935227163279432658118518339893700",
                "193042667813324484496891167759653579355",
                "104263506093600687814284100591830963899",
                "149669803656692398748414671664885491401",
                "30324545344415687477847069960995266533",
                "62287091175069280843480371355555573018",
                "307097762933956638820428916000922736456",
                "331918336141750915932541745428480971928",
                "264228452946538583165182630860963617124",
                "56892242813523519580566391594246523007",
                "134449008376306921459541189796777211701",
                "36903693351398944044358273552075261381",
                "210778898305495867438473538050299284046",
                "17267167288488765219126879385124530217",
                "137963605042839593099960003988676239353",
                "115289475012866943375913721802957453044",
                "191750710673405380758628058664399903153",
                "114835576574070679498974901677128973383",
                "80063638506868269259042481713702461050",
                "275795734847146760495011478890456174793",
                "323667175909297168002958075016484226034",
                "14567257543545610564300870654460074200",
                "334243857410454076620264969125073431476",
                "219285834642798779614670253369624439572",
                "181735877950415318232742099571085239793",
                "333920153210520673466618421203649406514",
                "134255624353367393144714575781844568105",
                "278227181354671945096302320642079475590",
                "249611915759573277069937725690081922167",
                "141427632348859355130735586382186615810",
                "246134227403549136731912841407424615075",
                "336609216959797787019308575804524861629",
                "271991216790860930908791574840619835509",
                "114693229550858896947033549060162996469",
                "172578019086805111488262956960658079756",
                "338386440966274437011308654001860914891"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "id": "CVE-2025-66570-29e4f95e",
        "target": {
            "file": "docker/main.cc"
        }
    },
    {
        "source": "https://github.com/yhirose/cpp-httplib/commit/ac9ebb0ee333ce8bf13523f487bdfad9518a2aff",
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "288587838992725280579261393712590293841",
                "179178826506156294067797010915601097648",
                "133535994317919995359163068165743696381",
                "147533884307154444946982885411735619074",
                "36751357194087975611817736135319139693",
                "260464587476131073643420691536685362282",
                "150347150819729255132692349192095276116",
                "236009344024645341535330185777444059565",
                "131965251375211639426662293924655665130",
                "318833196408530880574440430724390889208",
                "199002391503964900926712038371149312079",
                "315009238228080611884493345374094474243",
                "213871355765257400743049240907671641225",
                "267252840775159401936414934592662196279",
                "161115713507010317847876569679423325648",
                "187315063727299660150762053880223702523",
                "29318283208039288795517471742896182907",
                "77782219032409859541310939429758656385",
                "321205915960771525998903401075401600059",
                "303159654451638057659174187423303434893",
                "55389554466510745486724013179061692088",
                "325729907128596286851314445705430066535",
                "331231541094450455071562681430061276934",
                "306262097089555815613745021290497029602",
                "76428020437592757791624769712856721867",
                "218076442185634809707669084021231908372",
                "306024536282328365484749620089368482264",
                "111087902338376062520768395918025903076",
                "40748747969532151121922704483373258892",
                "45097461641782754821353906427426763762",
                "200181319017076626289389827144078493586",
                "215785389979101820697285471653311630725",
                "118958071645517167591099922125077227783"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "id": "CVE-2025-66570-380d5cad",
        "target": {
            "file": "httplib.h"
        }
    },
    {
        "source": "https://github.com/yhirose/cpp-httplib/commit/ac9ebb0ee333ce8bf13523f487bdfad9518a2aff",
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "321434341238069973289047902748031141194",
            "length": 362.0
        },
        "deprecated": false,
        "id": "CVE-2025-66570-3b6f0558",
        "target": {
            "function": "get_client_ip",
            "file": "docker/main.cc"
        }
    },
    {
        "source": "https://github.com/yhirose/cpp-httplib/commit/ac9ebb0ee333ce8bf13523f487bdfad9518a2aff",
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "311717512562599687120374900807777089750",
            "length": 2083.0
        },
        "deprecated": false,
        "id": "CVE-2025-66570-3dac7e48",
        "target": {
            "function": "parse_command_line",
            "file": "docker/main.cc"
        }
    },
    {
        "source": "https://github.com/yhirose/cpp-httplib/commit/ac9ebb0ee333ce8bf13523f487bdfad9518a2aff",
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "175433049236346953469518212335239330087",
            "length": 20365.0
        },
        "deprecated": false,
        "id": "CVE-2025-66570-6b229225",
        "target": {
            "function": "SetUp",
            "file": "test/test.cc"
        }
    },
    {
        "source": "https://github.com/yhirose/cpp-httplib/commit/ac9ebb0ee333ce8bf13523f487bdfad9518a2aff",
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "133932702808865348877319463287538252893",
            "length": 641.0
        },
        "deprecated": false,
        "id": "CVE-2025-66570-a9b3cead",
        "target": {
            "function": "nginx_error_logger",
            "file": "docker/main.cc"
        }
    },
    {
        "source": "https://github.com/yhirose/cpp-httplib/commit/ac9ebb0ee333ce8bf13523f487bdfad9518a2aff",
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "273180357415705739973839409723482329845",
            "length": 325.0
        },
        "deprecated": false,
        "id": "CVE-2025-66570-b3f714e2",
        "target": {
            "function": "get_header_value",
            "file": "httplib.h"
        }
    },
    {
        "source": "https://github.com/yhirose/cpp-httplib/commit/ac9ebb0ee333ce8bf13523f487bdfad9518a2aff",
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "290811620172586141091079999531902874892",
            "length": 750.0
        },
        "deprecated": false,
        "id": "CVE-2025-66570-b6853e95",
        "target": {
            "function": "main",
            "file": "docker/main.cc"
        }
    },
    {
        "source": "https://github.com/yhirose/cpp-httplib/commit/ac9ebb0ee333ce8bf13523f487bdfad9518a2aff",
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "120017251896481401810482193239876394372",
                "306534722914332144196388942944750675350",
                "54398655719700835562928444182301289712",
                "62356465471896721288602959892694741287",
                "166397605190268315918788363763051545025",
                "38883129169282458167530307697786422954",
                "188485155259659080634487271189772840680",
                "78392688952351040638286850897814972319",
                "86467973368861533479545574442063816250",
                "144625908640344205689495716551634146768",
                "247329169896526663367508275821459373521",
                "66483609367388334043172558880875978657",
                "200586059129563609425471759759161256551",
                "133776700565771595888070015379365742281",
                "170097733691383819714708097850527814362",
                "335663463978784722291243752233634841691",
                "201337926666770128558898888307275588888",
                "36805233405098437688011987256670055059",
                "135283970743713236988075748477018334305"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "id": "CVE-2025-66570-c7014340",
        "target": {
            "file": "test/test.cc"
        }
    },
    {
        "source": "https://github.com/yhirose/cpp-httplib/commit/ac9ebb0ee333ce8bf13523f487bdfad9518a2aff",
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "247222770561768009078115580334413315025",
            "length": 2242.0
        },
        "deprecated": false,
        "id": "CVE-2025-66570-cbbee0d3",
        "target": {
            "function": "setup_server",
            "file": "docker/main.cc"
        }
    },
    {
        "source": "https://github.com/yhirose/cpp-httplib/commit/ac9ebb0ee333ce8bf13523f487bdfad9518a2aff",
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "function_hash": "41553223838529170232519042641007258033",
            "length": 618.0
        },
        "deprecated": false,
        "id": "CVE-2025-66570-fb42ce30",
        "target": {
            "function": "nginx_access_logger",
            "file": "docker/main.cc"
        }
    }
]
vanir_signatures_modified
"2026-07-15T23:39:34Z"
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66570.json"