CVE-2023-26130
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2023-26130
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-26130.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2023-26130
- Downstream
- Published
- 2023-05-30T05:15:10.640Z
- Modified
- 2025-11-15T06:21:30.452577Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Versions of the package yhirose/cpp-httplib before 0.12.4 are vulnerable to CRLF Injection when untrusted user input is used to set the content-type header in the HTTP .Patch, .Post, .Put and .Delete requests. This can lead to logical errors and other misbehaviors.
Note: This issue is present due to an incomplete fix for CVE-2020-11709.
- References
-
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2RY6PKBU73I45L6YWNYCUK2XBEXEFX7L/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JY2E7EIRWQMKH6GY4OZOWWBZBY3Q7CGS/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYODHZECXYFC2BNODZPZXZAXOKGMCYAP/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U6MO4FSKYNSAJVUXYP7LRY7ARUIGKBFL/
- https://gist.github.com/dellalibera/094aece17a86069a7d27f93c8aba2280
- https://github.com/yhirose/cpp-httplib/releases/tag/v0.12.4
- https://security.snyk.io/vuln/SNYK-UNMANAGED-YHIROSECPPHTTPLIB-5591194
- https://github.com/yhirose/cpp-httplib/commit/5b397d455d25a391ba346863830c1949627b4d08
Affected packages
Git / github.com/yhirose/cpp-httplib
Affected ranges
- Type
- GIT
- Repo
- https://github.com/yhirose/cpp-httplib
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixed
Affected versions
v0.*
v0.10.0
v0.10.1
v0.10.2
v0.10.3
v0.10.4
v0.10.5
v0.10.6
v0.10.7
v0.10.8
v0.10.9
v0.11.0
v0.11.1
v0.11.2
v0.11.3
v0.11.4
v0.12.0
v0.12.1
v0.12.2
v0.12.3
v0.2.0
v0.2.1
v0.2.2
v0.2.3
v0.2.4
v0.2.5
v0.2.6
v0.3.0
v0.3.1
v0.3.2
v0.3.3
v0.4.0
v0.4.1
v0.4.2
v0.5.0
v0.5.1
v0.5.10
v0.5.11
v0.5.12
v0.5.13
v0.5.2
v0.5.3
v0.5.4
v0.5.5
v0.5.6
v0.5.7
v0.5.8
v0.5.9
v0.6.0
v0.6.1
v0.6.2
v0.6.3
v0.6.4
v0.6.5
v0.6.6
v0.6.7
v0.7.0
v0.7.1
v0.7.10
v0.7.11
v0.7.12
v0.7.13
v0.7.14
v0.7.15
v0.7.16
v0.7.17
v0.7.18
v0.7.2
v0.7.3
v0.7.4
v0.7.5
v0.7.6
v0.7.7
v0.7.8
v0.7.9
v0.8.0
v0.8.1
v0.8.2
v0.8.3
v0.8.4
v0.8.5
v0.8.6
v0.8.7
v0.8.8
v0.8.9
v0.9.0
v0.9.1
v0.9.10
v0.9.2
v0.9.3
v0.9.4
v0.9.5
v0.9.6
v0.9.7
v0.9.8
v0.9.9
Database specific
vanir_signatures
[
{
"digest": {
"length": 388.0,
"function_hash": "109966815411537648843441367288065635615"
},
"id": "CVE-2023-26130-21a54e0e",
"signature_type": "Function",
"source": "https://github.com/yhirose/cpp-httplib/commit/5b397d455d25a391ba346863830c1949627b4d08",
"target": {
"function": "ClientImpl::Delete",
"file": "httplib.h"
},
"signature_version": "v1",
"deprecated": false
},
{
"digest": {
"length": 1120.0,
"function_hash": "35569012576694440171295832243462095219"
},
"id": "CVE-2023-26130-5fca9b81",
"signature_type": "Function",
"source": "https://github.com/yhirose/cpp-httplib/commit/3409c00e6f5402eb4e300b45e44e11c3bdfe1a5c",
"target": {
"function": "TEST",
"file": "test/test.cc"
},
"signature_version": "v1",
"deprecated": false
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"240546714197613901225135025049891811065",
"281359695489656118217132824194790029215",
"141100706139141240794297513523566178801",
"257401186085714088225665496030940799809",
"266999212831628499894199473091797931521",
"163654709277731614310927002998848432150",
"138312761278507162117124159758709388533",
"197040501012530565556432899207205425793",
"29329557185643061112666599917590939238",
"123679281143948633142886664436880169165",
"179715767415284408119662037796951390396",
"283784769374285954881203373702188392958",
"78471242690701597060233742629271288067",
"45395349523080967503783899388300985935",
"285481731896186353164427159891493729098",
"15261480622365642915922624777555123122",
"317884962674836639459205031953176461810",
"78574124308579225908216185220484120442",
"46409177969390960568963050040063899099",
"52884957163233979602012252395591696460",
"285481731896186353164427159891493729098",
"271099896641126076271776673180798028955",
"115872061558010987378685809038212008954",
"150198206661006590483052285621191375728",
"21529886343834565313946105240007723944",
"219267433703435206992458911625660185981",
"3454078906943529537447873089224406093",
"288941712464102977342458696139318188799",
"11888752636155088128626065104478292533",
"237249969474923397336760526460916940034",
"227547934201798176635432229967662482688",
"213243363127129726434326592048833929868",
"91189192624312571944757797775534181967",
"172447349208613058279433624793130932826",
"42438591447104761819934714216334386611",
"43279272667674496761922329937210371459",
"221669613972245109214552444118965822381",
"25890372836897616021426605350896927090",
"177574495626415831368121237409677952913",
"184925319423389393108605958123662057471",
"96222184525236419324041050727118803557",
"121506686343056279693430464009499086375",
"127897810752844729842945555070185252039",
"54633851183723119887633517753716631339",
"45233661693126392736257131538917603400",
"55076981720850698294869832745966593006",
"238035926488125565795593247124337555776",
"222694781720044657380809501298380728038",
"330953320509980749280880818237538181671",
"167816967215818660901504119140161071729",
"313584731172998566835312374989849191102",
"330680623702791368517268477698187304972",
"296661034061856705527257743306531599773",
"214528328745644867655484970798040870610",
"120323759457526214953900833992134261809",
"20335766596953278218923253364844819852",
"254488437181657543852414088198486925357",
"269654571826332691562144158897977692042",
"135922896872913724793782750198790557885",
"204421843348507423913044288399188300037",
"295609526960319962045791207174566740684",
"252369901289634197586559092854798265610",
"126255844900217836334875914602009101316",
"253911798821508263074308600285066891513",
"71515147741562374363259029459669429528",
"293234123562824940366329355731346828749",
"121827682667085125605843738654712038305",
"94036945436949995505551363689596938965"
]
},
"id": "CVE-2023-26130-78fa3e6c",
"signature_type": "Line",
"source": "https://github.com/yhirose/cpp-httplib/commit/5b397d455d25a391ba346863830c1949627b4d08",
"target": {
"file": "httplib.h"
},
"signature_version": "v1",
"deprecated": false
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"68044247893237206215857661173568314861",
"197717767563454098861794130638678775532",
"99147049167960489553197822077745994701",
"159611932012411473308448340176052836846",
"202377073190158381562794479996839322890",
"183099897654385386401166102219125224747",
"82190000536610861958530938722442799848",
"90414146919542147057905906816721230515",
"61510334937010552434888752573287737669",
"63870351593464118270098115160094125066",
"308035859153562323517395417400799579343",
"217393392452371181984896104269802086293",
"336269094733246049315519826340961812394",
"92828630538069173125029869096307968896",
"159633514276954905289319894660343660921",
"327357640814879978939264197477367075440",
"74852948733191085374236914759142626669",
"86806557740758596906953347384713946063",
"262858507079201096594466588353960800433",
"231195579412430096880740469375289944676",
"210389924922484416855896159934943815567",
"5110033694655788430881671510662726413",
"60329482133483532830835487501048445593"
]
},
"id": "CVE-2023-26130-8738fc8f",
"signature_type": "Line",
"source": "https://github.com/yhirose/cpp-httplib/commit/3409c00e6f5402eb4e300b45e44e11c3bdfe1a5c",
"target": {
"file": "test/test.cc"
},
"signature_version": "v1",
"deprecated": false
},
{
"digest": {
"length": 17899.0,
"function_hash": "122618434027315813988074880335904977543"
},
"id": "CVE-2023-26130-cb672d56",
"signature_type": "Function",
"source": "https://github.com/yhirose/cpp-httplib/commit/3409c00e6f5402eb4e300b45e44e11c3bdfe1a5c",
"target": {
"function": "SetUp",
"file": "test/test.cc"
},
"signature_version": "v1",
"deprecated": false
},
{
"digest": {
"length": 1892.0,
"function_hash": "289528182960760020231947278313234685575"
},
"id": "CVE-2023-26130-ccaed971",
"signature_type": "Function",
"source": "https://github.com/yhirose/cpp-httplib/commit/5b397d455d25a391ba346863830c1949627b4d08",
"target": {
"function": "ClientImpl::send_with_content_provider",
"file": "httplib.h"
},
"signature_version": "v1",
"deprecated": false
},
{
"digest": {
"length": 3147.0,
"function_hash": "1746522660174197105611120685402022537"
},
"id": "CVE-2023-26130-e98a4f4d",
"signature_type": "Function",
"source": "https://github.com/yhirose/cpp-httplib/commit/5b397d455d25a391ba346863830c1949627b4d08",
"target": {
"function": "Server::apply_ranges",
"file": "httplib.h"
},
"signature_version": "v1",
"deprecated": false
},
{
"digest": {
"length": 3122.0,
"function_hash": "134017682451038564924117699348251447690"
},
"id": "CVE-2023-26130-f98e13b5",
"signature_type": "Function",
"source": "https://github.com/yhirose/cpp-httplib/commit/5b397d455d25a391ba346863830c1949627b4d08",
"target": {
"function": "ClientImpl::write_request",
"file": "httplib.h"
},
"signature_version": "v1",
"deprecated": false
}
]
source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-26130.json"