CVE-2023-26130

NameCVE-2023-26130
DescriptionVersions of the package yhirose/cpp-httplib before 0.12.4 are vulnerable to CRLF Injection when untrusted user input is used to set the content-type header in the HTTP .Patch, .Post, .Put and .Delete requests. This can lead to logical errors and other misbehaviors. **Note:** This issue is present due to an incomplete fix for [CVE-2020-11709](https://security.snyk.io/vuln/SNYK-UNMANAGED-YHIROSECPPHTTPLIB-2366507).
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1037100

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
cpp-httplib (PTS)bookworm0.11.4+ds-1+deb12u1fixed
sid, trixie0.16.3+ds-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
cpp-httplibsourcebookworm0.11.4+ds-1+deb12u1
cpp-httplibsource(unstable)0.11.4+ds-21037100

Notes

https://security.snyk.io/vuln/SNYK-UNMANAGED-YHIROSECPPHTTPLIB-5591194
https://gist.github.com/dellalibera/094aece17a86069a7d27f93c8aba2280
https://github.com/yhirose/cpp-httplib/commit/5b397d455d25a391ba346863830c1949627b4d08 (v0.12.4)
Search for package or bug name: Reporting problems