CVE-2025-66570

|
CVE-2025-66570 cpp-httplib vulnerability security critical severity CVE database IP spoofing log poisoning authorization bypass

Summary

CVE-2025-66570 is a critical vulnerability affecting cpp-httplib, a C++11 single-file header-only HTTP/HTTPS library. This vulnerability allows attackers to inject malicious HTTP headers, potentially leading to IP spoofing, log poisoning, and authorization bypass. Upgrade to version 0.27.0 or later to mitigate this risk.

Technical Details

CVE-2025-66570 arises from the way cpp-httplib handles incoming HTTP headers. Specifically, the read_headers() function in httplib.h parses attacker-controlled HTTP headers and inserts them into the Request.headers multimap. The vulnerability lies in the fact that the server subsequently appends its own internal metadata using the same header names (REMOTE_ADDR, REMOTE_PORT, LOCAL_ADDR, LOCAL_PORT) without removing the attacker-supplied duplicates. Because Request::get_header_value retrieves the *first* entry for a given header key, downstream code relying on these headers may inadvertently use the attacker-controlled values instead of the server's intended metadata. This allows for manipulation of logging, authorization decisions, and other server-side processes that depend on accurate client information. The affected code segments are within cpp-httplib/httplib.h (read_headers, Server::process_request, Request::get_header_value, get_header_value_u64) and cpp-httplib/docker/main.cc (get_client_ip, nginx_access_logger, nginx_error_logger). The attack surface is the attacker-controlled HTTP headers in incoming requests. The vulnerability enables IP spoofing, log poisoning, and authorization bypass via header shadowing.

Affected Products and Versions

  • yhirose cpp-httplib versions prior to 0.27.0

Impact Assessment

Successful exploitation of CVE-2025-66570 can have severe consequences.

  • IP Spoofing: Attackers can forge the apparent source IP address of requests, potentially bypassing security measures based on IP whitelisting or rate limiting.
  • Log Poisoning: Attackers can inject arbitrary data into server logs, making it difficult to track malicious activity and potentially leading to misidentification of legitimate users.
  • Authorization Bypass: Attackers can manipulate headers used for authentication or authorization, potentially gaining unauthorized access to sensitive resources or functionality.

Remediation

Immediate Actions

  • Upgrade to version 0.27.0 or later: This version contains the fix for CVE-2025-66570.
  • Review and sanitize existing logs: Look for suspicious entries that may indicate previous exploitation attempts.

Long-term Solutions

  • Implement robust input validation: Validate and sanitize all incoming HTTP headers to prevent injection attacks.
  • Avoid relying solely on HTTP headers for authentication or authorization: Use more secure mechanisms such as tokens or certificates.
  • Regularly update dependencies: Keep cpp-httplib and other libraries up to date to benefit from the latest security patches.

References

Detection & Scanning

Detecting CVE-2025-66570 requires analyzing HTTP traffic for malicious header injections. Look for requests containing headers like REMOTE_ADDR, REMOTE_PORT, LOCAL_ADDR, and LOCAL_PORT with unexpected or suspicious values. Network intrusion detection systems (NIDS) and web application firewalls (WAFs) can be configured to identify and block such requests.

Scan Your Website

Secably AI Scanner can detect this and 50+ other vulnerabilities automatically.

Start Free Scan

Scan Your Website for Vulnerabilities

Discover security issues before attackers do. Our AI-powered scanner checks for the vulnerabilities discussed in this guide and more.

Start Free Scan