| Name | CVE-2023-26130 |
| Description | Versions of the package yhirose/cpp-httplib before 0.12.4 are vulnerable to CRLF Injection when untrusted user input is used to set the content-type header in the HTTP .Patch, .Post, .Put and .Delete requests. This can lead to logical errors and other misbehaviors. **Note:** This issue is present due to an incomplete fix for [CVE-2020-11709](https://security.snyk.io/vuln/SNYK-UNMANAGED-YHIROSECPPHTTPLIB-2366507). |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 1037100 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| cpp-httplib (PTS) | bookworm | 0.11.4+ds-1+deb12u1 | fixed |
| sid, trixie | 0.18.7-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| cpp-httplib | source | bookworm | 0.11.4+ds-1+deb12u1 | |||
| cpp-httplib | source | (unstable) | 0.11.4+ds-2 | 1037100 |
https://security.snyk.io/vuln/SNYK-UNMANAGED-YHIROSECPPHTTPLIB-5591194
https://gist.github.com/dellalibera/094aece17a86069a7d27f93c8aba2280
https://github.com/yhirose/cpp-httplib/commit/5b397d455d25a391ba346863830c1949627b4d08 (v0.12.4)