CVE-2025-66570
📋 TL;DR
This vulnerability in cpp-httplib allows attackers to inject HTTP headers (REMOTE_ADDR, REMOTE_PORT, LOCAL_ADDR, LOCAL_PORT) that shadow server-generated metadata. This enables IP spoofing, log poisoning, and potential authorization bypass by tricking the server into using attacker-controlled values instead of legitimate client information. All applications using vulnerable versions of cpp-httplib are affected.
💻 Affected Systems
- cpp-httplib
📦 What is this software?
Cpp Httplib by Yhirose
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through authorization bypass, false attribution of attacks via IP spoofing, and log poisoning that hides malicious activity.
Likely Case
IP spoofing leading to incorrect client identification, log poisoning that obscures attack sources, and potential privilege escalation if authorization decisions rely on these headers.
If Mitigated
Limited impact to logging accuracy with proper input validation and header sanitization in place.
🎯 Exploit Status
Exploitation requires sending specially crafted HTTP headers, which is straightforward for attackers with network access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.27.0
Vendor Advisory: https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-xm2j-vfr9-mg9m
Restart Required: Yes
Instructions:
1. Update cpp-httplib to version 0.27.0 or later. 2. Replace the httplib.h header file with the patched version. 3. Recompile and restart all affected applications.
🔧 Temporary Workarounds
Header sanitization middleware
allImplement custom request processing that removes or validates the four vulnerable headers before they reach cpp-httplib's internal processing.
Reverse proxy filtering
linuxConfigure a reverse proxy (nginx, Apache, etc.) to strip REMOTE_ADDR, REMOTE_PORT, LOCAL_ADDR, and LOCAL_PORT headers from incoming requests.
nginx example: proxy_set_header REMOTE_ADDR ""; proxy_set_header REMOTE_PORT ""; proxy_set_header LOCAL_ADDR ""; proxy_set_header LOCAL_PORT "";
🧯 If You Can't Patch
- Implement application-level validation to ignore client-supplied values for REMOTE_ADDR, REMOTE_PORT, LOCAL_ADDR, and LOCAL_PORT headers.
- Deploy network-level filtering to block requests containing these specific headers at the firewall or load balancer.
🔍 How to Verify
Check if Vulnerable:
Check if your application includes httplib.h version earlier than 0.27.0. Review code for usage of Request::get_header_value with the vulnerable header names.Check Version:
grep -n "CPPHTTPLIB_VERSION" httplib.h | head -1Verify Fix Applied:
Verify httplib.h version is 0.27.0 or later. Test that client-supplied REMOTE_ADDR, REMOTE_PORT, LOCAL_ADDR, LOCAL_PORT headers are ignored by the server.📡 Detection & Monitoring
Log Indicators:
- Inconsistent IP addresses in logs for same session
- Requests with REMOTE_ADDR, REMOTE_PORT, LOCAL_ADDR, or LOCAL_PORT headers in access logs
Network Indicators:
- HTTP requests containing REMOTE_ADDR, REMOTE_PORT, LOCAL_ADDR, or LOCAL_PORT headers
SIEM Query:
http.headers:*REMOTE_ADDR* OR http.headers:*REMOTE_PORT* OR http.headers:*LOCAL_ADDR* OR http.headers:*LOCAL_PORT*