CVE-2026-34441

cpp-httplib: HTTP Request Smuggling via Unconsumed GET Request Body

CVSS 4.8 MEDIUMEPSS 0.2%CWE-444

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 4.8EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

31 Mar 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.40.0, cpp-httplib is vulnerable to HTTP Request Smuggling. The server's static file handler serves GET responses without consuming the request body. On HTTP/1.1 keep-alive connections, the unread body bytes remain on the TCP stream and are interpreted as the start of a new HTTP request. An attacker can embed an arbitrary HTTP request inside the body of a GET request, which the server processes as a separate request. This issue has been patched in version 0.40.0.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Affected products

yhirose · cpp-httplib

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/yhirose/cpp-httplib/releases/tag/v0.40.0 https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-jv63-rm9j-6jwc