CVE-2026-21428
Published: 01 January 2026
Summary
CVE-2026-21428 is a high-severity CRLF Injection (CWE-93) vulnerability in Yhirose Cpp-Httplib. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 4.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-21428 affects cpp-httplib, a C++11 single-file header-only cross-platform HTTP/HTTPS library, in versions prior to 0.30.0. The vulnerability resides in the `write_headers` function, which fails to validate user-supplied header values for carriage return (CR) and line feed (LF) characters. This oversight allows malicious header values to escape their intended lines, enabling header injection. The issue is classified under CWE-93 (Improper Neutralization of CRLF Sequences) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating high integrity impact from network-accessible exploitation without privileges.
Remote attackers can exploit this vulnerability by supplying crafted HTTP headers containing CR/LF sequences. Successful exploitation allows adding arbitrary extra headers, unexpectedly modifying the request body, and potentially triggering server-side request forgery (SSRF) attacks. The SSRF risk escalates when cpp-httplib is used with servers supporting HTTP/1.1 pipelining, such as Spring Boot or Python Twisted, as attackers can forge requests to internal or unauthorized endpoints.
The cpp-httplib project addresses this in version 0.30.0, which includes a fix via commit 98048a033a532ff22320ce1d11789f8d5710dfcd. Security practitioners should upgrade to v0.30.0 or later. Additional details are available in the GitHub security advisory (GHSA-wpc6-j37r-jcx7) and release notes.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-0026
Vulnerability details
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.0, the ``write_headers`` function does not check for CR & LF characters in user supplied headers, allowing untrusted header value to escape header lines. This vulnerability allows…
more
attackers to add extra headers, modify request body unexpectedly & trigger an SSRF attack. When combined with a server that supports http1.1 pipelining (springboot, python twisted etc), this can be used for server side request forgery (SSRF). Version 0.30.0 fixes this issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remotely exploitable CRLF/header injection flaw in a public-facing HTTP library, directly enabling T1190 (Exploit Public-Facing Application) with no authentication required.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of user-supplied HTTP header inputs to neutralize CRLF sequences and prevent header injection in cpp-httplib's write_headers function.
Mandates identification, reporting, and correction of the CRLF validation flaw in cpp-httplib by upgrading to version 0.30.0 or later.
Requires vulnerability scanning to identify systems using vulnerable versions of cpp-httplib prior to 0.30.0, enabling timely remediation.