cpp-httplib Denial-of-Service Vulnerability via Malicious X-Forwarded-For Header

A denial-of-service vulnerability has been identified in cpp-httplib versions prior to 0.44.0. When the server's trusted-proxy list is non-empty, an attacker can send an HTTP request with an X-Forwarded-For header that contains no valid IP segments. This leads to the execution of the get_client_ip() function, which calls front() on an empty std::vector, causing undefined behavior in C++. Typically, this results in an abnormal termination of the process. However, if Sanitizers are enabled, a runtime diagnostic is provided.

Impact

Exploitation of this vulnerability causes an abnormal termination of the server process, leading to a denial-of-service condition. Without a process supervisor, the service stops, and even with auto-restart, repeated requests can keep the service in an unavailable state.

Reproduction

To reproduce this vulnerability, first upload a malicious X-Forwarded-For header that is either empty or contains only commas. This can be done using a tool like curl or by sending a raw HTTP request with the appropriate header.

Remediation

Users can update to cpp-httplib version 0.44.0 or later, where this vulnerability has been fixed.