CVE-2026-54919

NameCVE-2026-54919
Descriptioncpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. In affected Mbed TLS backend versions from 0.31.0 through 0.46.1 and wolfSSL backend versions from 0.33.0 through 0.46.1, when cpp-httplib is built with CPPHTTPLIB_MBEDTLS_SUPPORT or CPPHTTPLIB_WOLFSSL_SUPPORT and a client connects to an IP-literal host with server certificate verification enabled, SSLClient and Client in HTTPS mode skip certificate chain validation and WebSocketClient on the Mbed TLS backend skips verification altogether, allowing a man-in-the-middle attacker positioned to intercept traffic to present a crafted certificate and read or modify the traffic. This issue is fixed in version 0.47.0.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
cpp-httplib (PTS)bookworm0.11.4+ds-1+deb12u1vulnerable
trixie (security), trixie0.18.7-1+deb13u1vulnerable
forky, sid0.41.0+ds-3vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
cpp-httplibsource(unstable)(unfixed)unimportant

Notes

https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-8ffh-4p95-g3p2
Fixed by: https://github.com/yhirose/cpp-httplib/commit/fa981cedae004ea9d946f1392b9dec22fac6fee6 (v0.47.0)
Only affects Mbed TLS and wolfSSL backends

Search for package or bug name: Reporting problems