CVE-2026-34441

Name	CVE-2026-34441
Description	cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.40.0, cpp-httplib is vulnerable to HTTP Request Smuggling. The server's static file handler serves GET responses without consuming the request body. On HTTP/1.1 keep-alive connections, the unread body bytes remain on the TCP stream and are interpreted as the start of a new HTTP request. An attacker can embed an arbitrary HTTP request inside the body of a GET request, which the server processes as a separate request. This issue has been patched in version 0.40.0.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	1133187

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
cpp-httplib (PTS)	bookworm	0.11.4+ds-1+deb12u1	vulnerable
	trixie	0.18.7-1	vulnerable
	trixie (security)	0.18.7-1+deb13u1	vulnerable
	forky, sid	0.41.0+ds-3	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
cpp-httplib	source	(unstable)	0.41.0+ds-3			1133187

Notes

https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-jv63-rm9j-6jwc
Fixed by: https://github.com/yhirose/cpp-httplib/commit/6fd97aeca0faa1c6e1bd7ae8150c821dcff31c3b (v0.40.0)