CVE-2025-0825

Feb. 4, 2025, 3:15 p.m.

None
No Score

Description

cpp-httplib version v0.17.3 through v0.18.3 fails to filter CRLF characters ("\r\n") when those are prefixed with a null byte. This enables attackers to exploit CRLF injection that could further lead to HTTP Response Splitting, XSS, and more.

Product(s) Impacted

Product Versions
cpp-httplib
  • ['v0.17.3', 'v0.18.3']

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-113
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.

References

https://github.com/yhirose/cpp-httplib/commit/9c36aae4b73e2b6e493f4133e4173103c9266289

Tags

596c5446-0ce5-4ba2-aa66-48b3b757a647
CWE-113
2025-02-04
CVE-2025-0825

Timeline

Published: Feb. 4, 2025, 3:15 p.m.
Last Modified: Feb. 4, 2025, 3:15 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

596c5446-0ce5-4ba2-aa66-48b3b757a647

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.