cpp-httplib Untrusted HTTP Header Handling Vulnerability Allowing Header Injection and Authorization Bypass

A vulnerability in cpp-httplib versions prior to 0.27.0 allows attacker-controlled HTTP headers to influence server-visible metadata, logging, and authorization decisions. Headers such as REMOTE_ADDR, REMOTE_PORT, LOCAL_ADDR, and LOCAL_PORT can be injected by the attacker. These headers are parsed into the request header multimap, and the server later appends its own metadata using the same header names without removing duplicates. This can lead to downstream code using attacker-controlled values, causing IP spoofing, log poisoning, and authorization bypass.

Impact

Exploitation allows for unauthorized access to protected resources by spoofing internal metadata headers, which can bypass IP-based access controls and authorization checks, particularly on sensitive endpoints.

Reproduction

The vulnerability can be reproduced by sending HTTP requests to a server using cpp-httplib with custom headers that include REMOTE_ADDR, REMOTE_PORT, LOCAL_ADDR, or LOCAL_PORT. The server's response can be observed to confirm the injection of these header values. Additionally, the vulnerability can be tested by interacting with endpoints that rely on the spoofed header values for authorization decisions.

Remediation

Users can update to cpp-httplib version 0.27.0 or later, where this vulnerability has been fixed.