Source: security-advisories@github.com
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.0, the ``write_headers`` function does not check for CR & LF characters in user supplied headers, allowing untrusted header value to escape header lines. This vulnerability allows attackers to add extra headers, modify request body unexpectedly & trigger an SSRF attack. When combined with a server that supports http1.1 pipelining (springboot, python twisted etc), this can be used for server side request forgery (SSRF). Version 0.30.0 fixes this issue.
cpp-httplib versions prior to 0.30.0 are vulnerable to HTTP header injection, allowing attackers to inject malicious headers into HTTP requests. This can lead to server-side request forgery (SSRF), enabling attackers to access internal resources and potentially compromise the server or other connected systems.
Step 1: Payload Delivery: The attacker crafts a malicious HTTP request containing a header with a crafted value. This value includes CR and LF characters followed by the attacker's injected header(s).
Step 2: Request Processing: The vulnerable cpp-httplib library receives the malicious request and processes the headers. The write_headers function, due to the lack of sanitization, does not filter the CR and LF characters.
Step 3: Header Injection: The CR and LF characters in the malicious header value are interpreted as the end of the original header and the start of a new header. This allows the attacker to inject arbitrary headers.
Step 4: SSRF Trigger (if applicable): If the injected headers include a Host header pointing to an internal resource or a different server, and the server supports HTTP/1.1 pipelining, the attacker can trigger an SSRF attack, causing the server to make requests to the attacker-specified destination.
The vulnerability stems from the write_headers function in cpp-httplib failing to sanitize user-supplied header values. Specifically, it does not validate or filter carriage return (CR) and line feed (LF) characters. These characters are used to delimit HTTP headers. By injecting CR and LF characters into a header value, an attacker can effectively terminate the existing header and inject new, malicious headers. This allows for various attacks, including HTTP header injection, request smuggling, and SSRF. The root cause is a lack of input validation on user-controlled data before it is used to construct HTTP headers. The absence of proper sanitization allows for the manipulation of the HTTP request structure.
While no specific APTs are directly linked, this vulnerability is attractive to attackers due to its potential for SSRF and internal network access. Attackers could use this to pivot within a network. This vulnerability is not currently listed on the CISA KEV list, but it's a candidate for future inclusion if actively exploited.
Network traffic analysis: Examine HTTP requests for unusual header values containing CR and LF characters (e.g., %0d%0a).
Web server logs: Monitor web server logs for unexpected HTTP headers or responses that indicate header injection.
Intrusion Detection Systems (IDS): Implement IDS rules to detect malicious header injection attempts, focusing on CR/LF characters in header values.
File Integrity Monitoring (FIM): Monitor the cpp-httplib library files for unauthorized modifications.
Upgrade to cpp-httplib version 0.30.0 or later. This version includes the fix for the vulnerability.
Input validation: Implement robust input validation to sanitize all user-supplied header values. Specifically, filter or remove CR and LF characters from header values before they are used to construct HTTP headers.
Web Application Firewall (WAF): Deploy a WAF to filter malicious HTTP requests and prevent header injection attacks.
Least privilege: Ensure that the web server process has the least necessary privileges to access internal resources, limiting the impact of a successful SSRF attack.