CVE-2026-21428

Step 1: Payload Delivery: The attacker crafts a malicious HTTP request containing a header with a crafted value. This value includes CR and LF characters followed by the attacker's injected header(s). Step 2: Request Processing: The vulnerable cpp-httplib library receives the malicious request and processes the headers. The write_headers function, due to the lack of sanitization, does not filter the CR and LF characters. Step 3: Header Injection: The CR and LF characters in the malicious header value are interpreted as the end of the original header and the start of a new header. This allows the attacker to inject arbitrary headers. Step 4: SSRF Trigger (if applicable): If the injected headers include a Host header pointing to an internal resource or a different server, and the server supports HTTP/1.1 pipelining, the attacker can trigger an SSRF attack, causing the server to make requests to the attacker-specified destination.

The vulnerability stems from the write_headers function in cpp-httplib failing to sanitize user-supplied header values. Specifically, it does not validate or filter carriage return (CR) and line feed (LF) characters. These characters are used to delimit HTTP headers. By injecting CR and LF characters into a header value, an attacker can effectively terminate the existing header and inject new, malicious headers. This allows for various attacks, including HTTP header injection, request smuggling, and SSRF. The root cause is a lack of input validation on user-controlled data before it is used to construct HTTP headers. The absence of proper sanitization allows for the manipulation of the HTTP request structure.