cpp-httplib Default Exception Handler Information Disclosure Vulnerability

A vulnerability exists in cpp-httplib, a C++11 single-file header-only cross-platform HTTP/HTTPS library, in versions prior to 0.35.0. When a request handler throws a C++ exception and no custom exception handler has been registered, the library catches the exception and writes its message into the HTTP response as a header named EXCEPTION_WHAT. This header is sent to the client without any authentication check or special configuration required to trigger it. As a result, internal exception messages can be leaked to any client. This vulnerability is particularly concerning for developers who are unaware of the need to register a custom exception handler, as it can lead to the unintentional exposure of sensitive information.

Impact

The vulnerability allows for unauthorized information disclosure, leaking internal exception messages to clients via the EXCEPTION_WHAT response header. This can include sensitive data such as file paths, database connection details, and application-specific information. In cases where exception messages contain secrets or credentials, the impact on confidentiality is significantly higher.

Reproduction

The vulnerability can be reproduced by creating a cpp-httplib server using a vulnerable version (0.34.0 or earlier) and not registering a custom exception handler. When a request is made that triggers an exception, the server will respond with the EXCEPTION_WHAT header containing the exception message. This can be verified using curl or any HTTP client that exposes response headers.

Remediation

Users of cpp-httplib should update to version 0.35.0 or later, and register a custom exception handler to prevent information leakage. For library maintainers, it is recommended to remove the default EXCEPTION_WHAT header insertion and add a security warning in the README about the risks of not registering an exception handler.