cpp-httplib HTTP Header Value Percent-Decoding Vulnerability Enables CRLF Injection

A vulnerability in cpp-httplib versions prior to 0.44.0 allows for CRLF injection through improper percent-decoding of HTTP header values. The library's server applies percent-decoding to most header values except for 'Location' and 'Referer'. This flaw enables encoded carriage return and line feed characters to be injected into headers, creating several potential attack vectors, such as HTTP response splitting and request smuggling.

Impact

Exploitation of this vulnerability leads to HTTP response splitting, allowing injection of additional response headers or manipulation of the response body. It also facilitates HTTP request smuggling when the cpp-httplib client is used as a forward proxy, by injecting CRLF into headers that are proxied to the server.

Reproduction

To reproduce this vulnerability, set up a cpp-httplib server and send a request with a header value that includes percent-encoded CRLF characters. The server will decode the header value and inject the CRLF into the response, demonstrating the injection flaw.

Remediation

Users are advised to update to cpp-httplib version 0.44.0 or later, where this vulnerability has been fixed.