CVE-2025-0825
📋 TL;DR
CVE-2025-0825 is a CRLF injection vulnerability in cpp-httplib where null-byte-prefixed CRLF sequences aren't properly filtered, allowing attackers to inject malicious headers or content into HTTP responses. This affects applications using cpp-httplib versions v0.17.3 through v0.18.3 for HTTP server functionality. Attackers could exploit this to perform HTTP response splitting, cross-site scripting (XSS), or other web-based attacks.
💻 Affected Systems
- cpp-httplib
📦 What is this software?
Cpp Httplib by Yhirose
⚠️ Risk & Real-World Impact
Worst Case
Full HTTP response splitting leading to XSS attacks against users, cache poisoning, or session fixation attacks depending on server configuration and usage.
Likely Case
Limited HTTP header injection allowing attackers to manipulate response headers, potentially enabling XSS or other client-side attacks.
If Mitigated
Minimal impact if proper input validation and output encoding are implemented at the application layer.
🎯 Exploit Status
Exploitation requires sending specially crafted HTTP requests with null-byte-prefixed CRLF sequences to vulnerable endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v0.18.4 and later
Vendor Advisory: https://github.com/yhirose/cpp-httplib/commit/9c36aae4b73e2b6e493f4133e4173103c9266289
Restart Required: Yes
Instructions:
1. Update cpp-httplib dependency to v0.18.4 or later. 2. Rebuild and redeploy affected applications. 3. Restart services using the updated library.
🔧 Temporary Workarounds
Input validation filter
allImplement custom input validation to filter null bytes and CRLF sequences before processing requests.
Web Application Firewall (WAF)
allConfigure WAF rules to block requests containing null-byte-prefixed CRLF sequences.
🧯 If You Can't Patch
- Implement strict input validation at the application layer to reject requests containing null bytes or CRLF sequences.
- Use a reverse proxy or WAF to filter malicious requests before they reach the vulnerable application.
🔍 How to Verify
Check if Vulnerable:
Check if your application uses cpp-httplib version between v0.17.3 and v0.18.3 inclusive. Review dependency files (CMakeLists.txt, package.json, etc.) or build configuration.Check Version:
Check your build system configuration or run: grep -r "cpp-httplib" your_project/ to find version references.Verify Fix Applied:
Confirm cpp-httplib version is v0.18.4 or later. Test with crafted requests containing null-byte-prefixed CRLF sequences to ensure they are properly rejected.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing %00%0D%0A or null-byte followed by CRLF sequences in URL or headers
- Unusual response headers or malformed HTTP responses
Network Indicators:
- HTTP requests with encoded null bytes and CRLF sequences
- Abnormal HTTP response splitting in traffic
SIEM Query:
http.request.uri contains "%00%0D%0A" OR http.request.header contains "\x00\r\n"