Improper Neutralization of CRLF Sequences ('CRLF Injection')

CVE-2026-21428

High

7.7/10

Summary

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.0, the "write_headers()" function does not check for CR & LF characters in user supplied headers, allowing untrusted header value to escape header lines. This vulnerability allows attackers to add extra headers, modify request body unexpectedly & trigger an Server-Side Request Forgery (SSRF) attack. When combined with a server that supports http1.1 pipelining (springboot, python twisted etc), this can be used for SSRF.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: NONE

CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')

The software uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

References

Advisory

Advisory Timeline

Published Jan 01, 2026

Improper Neutralization of CRLF Sequences ('CRLF Injection')

CVE-2026-21428

Summary

CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS