OESA-2025-2855

See a problem?
Please try reporting it to the source first.
Source
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-2855
Import Source
https://repo.openeuler.org/security/data/osv/OESA-2025-2855.json
JSON Data
https://api.osv.dev/v1/vulns/OESA-2025-2855
Upstream
Published
2025-12-30T12:16:18Z
Modified
2025-12-30T13:00:07.514136Z
Summary
cpp-httplib security update
Details

A C++11 single-file header-only cross platform HTTP/HTTPS library. It's extremely easy to setup. Just include httplib.h file in your code!

Security Fix(es):

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.27.0, a vulnerability allows attacker-controlled HTTP headers to influence server-visible metadata, logging, and authorization decisions. An attacker can inject headers named REMOTEADDR, REMOTEPORT, LOCALADDR, LOCALPORT that are parsed into the request header multimap via readheaders() in httplib.h (headers.emplace), then the server later appends its own internal metadata using the same header names in Server::processrequest without erasing duplicates. Because Request::getheadervalue returns the first entry for a header key (id == 0) and the client-supplied headers are parsed before server-inserted headers, downstream code that uses these header names may inadvertently use attacker-controlled values. Affected files/locations: cpp-httplib/httplib.h (readheaders, Server::processrequest, Request::getheadervalue, getheadervalueu64) and cpp-httplib/docker/main.cc (getclientip, nginxaccesslogger, nginxerror_logger). Attack surface: attacker-controlled HTTP headers in incoming requests flow into the Request.headers multimap and into logging code that reads forwarded headers, enabling IP spoofing, log poisoning, and authorization bypass via header shadowing. This vulnerability is fixed in 0.27.0.(CVE-2025-66570)

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.27.0, a vulnerability allows attacker-controlled HTTP headers to influence server-visible metadata, logging, and authorization decisions. An attacker can supply X-Forwarded-For or X-Real-IP headers which get accepted unconditionally by getclientip() in docker/main.cc, causing access and error logs (nginxaccesslogger / nginxerrorlogger) to record spoofed client IPs (log poisoning / audit evasion). This vulnerability is fixed in 0.27.0.(CVE-2025-66577)

Database specific 
{
    "severity": "Critical"
}
References

Affected packages

openEuler:22.03-LTS-SP4 / cpp-httplib

Package

Name
cpp-httplib
Purl
pkg:rpm/openEuler/cpp-httplib&distro=openEuler-22.03-LTS-SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.27.0-1.oe2203sp4

Ecosystem specific 

{
    "aarch64": [
        "cpp-httplib-0.27.0-1.oe2203sp4.aarch64.rpm",
        "cpp-httplib-debuginfo-0.27.0-1.oe2203sp4.aarch64.rpm",
        "cpp-httplib-debugsource-0.27.0-1.oe2203sp4.aarch64.rpm",
        "cpp-httplib-devel-0.27.0-1.oe2203sp4.aarch64.rpm"
    ],
    "src": [
        "cpp-httplib-0.27.0-1.oe2203sp4.src.rpm"
    ],
    "x86_64": [
        "cpp-httplib-0.27.0-1.oe2203sp4.x86_64.rpm",
        "cpp-httplib-debuginfo-0.27.0-1.oe2203sp4.x86_64.rpm",
        "cpp-httplib-debugsource-0.27.0-1.oe2203sp4.x86_64.rpm",
        "cpp-httplib-devel-0.27.0-1.oe2203sp4.x86_64.rpm"
    ]
}

Database specific

source 
"https://repo.openeuler.org/security/data/osv/OESA-2025-2855.json"