CVE-2026-21428: A Silent Header Injection Flaw Turning Simple HTTP Requests into Full-Blown SSRF Attacks

Aegiron 7 mins0

CVE ID: CVE-2026-21428
Affected Component: cpp-httplib (C++11 header-only HTTP/HTTPS library)
Affected Versions: < 0.30.0
Fixed Version: 0.30.0
Vulnerability Type: HTTP Header Injection / Request Smuggling leading to SSRF
CVSS v3.x Score: 8.6 (High)
Severity: High
Attack Vector: Network
Privileges Required: None
User Interaction: None
Exploitability: High
Exploit Availability: Public proof-of-concept patterns exist (no official exploit published)
Patch Availability: Yes (official upstream fix in v0.30.0)

Executive Summary

CVE-2026-21428 is a serious input validation flaw in cpp-httplib, a widely used lightweight C++ HTTP/HTTPS library.
The issue stems from improper handling of CR (\r) and LF (\n) characters in user-supplied HTTP header values.

Because the library fails to sanitize these characters before writing headers to the wire, an attacker can break out of the intended header line and inject arbitrary additional headers or even crafted HTTP requests.

In real-world deployments—especially when cpp-httplib is used as an HTTP client inside backend services—this vulnerability can escalate into Server-Side Request Forgery (SSRF), request smuggling, or backend protocol abuse.

Technical Details

Root Cause

The vulnerable function, write_headers, directly concatenates user-controlled header values into the HTTP request without validating or rejecting carriage return (\r) and line feed (\n) characters.

In HTTP/1.1, headers are line-based:

Header-Name: Header-Value\r\n

If an attacker injects CR/LF into a header value, they can prematurely terminate the header and start a new one—or even inject a full HTTP request.

What Goes Wrong Internally

Instead of enforcing:

X-User: normalvalue

An attacker can supply:

normalvalue\r\nHost: 169.254.169.254\r\n\r\nGET /latest/meta-data/

The library sends it verbatim, resulting in:

X-User: normalvalue
Host: 169.254.169.254

GET /latest/meta-data/

This turns a single outbound request into multiple attacker-controlled instructions.

Impact

An attacker can:

  • Inject arbitrary HTTP headers
  • Override sensitive headers such as Host, Authorization, or Content-Length
  • Smuggle additional HTTP requests
  • Modify or truncate the request body
  • Abuse HTTP/1.1 pipelining behavior
  • Perform Server-Side Request Forgery (SSRF)
  • Reach internal-only services (cloud metadata, admin panels, internal APIs)

Why This Becomes SSRF

This vulnerability becomes especially dangerous when:

  • cpp-httplib is used as an HTTP client
  • The backend connects to internal services
  • The target server supports HTTP/1.1 pipelining or keep-alive
  • The service runs in cloud environments (AWS, GCP, Azure)

Common SSRF targets include:

  • 169.254.169.254 (cloud metadata)
  • localhost
  • Internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)

Example Exploitation Scenario

  1. A web application accepts user input and forwards it as an HTTP header using cpp-httplib.
  2. The attacker injects CR/LF characters into that input.
  3. cpp-httplib sends a malformed but valid HTTP request.
  4. The backend server processes injected headers or pipelined requests.
  5. The attacker gains access to internal resources or sensitive data.

This can happen without authentication and without user interaction.

Proof-of-Concept Style Payloads

Header Injection Payload

test\r\nX-Injected-Header: injected

SSRF-Oriented Payload

value\r\nHost: 169.254.169.254\r\n\r\nGET /latest/meta-data/iam/security-credentials/

Request Smuggling Payload

abc\r\nContent-Length: 0\r\n\r\nGET /admin HTTP/1.1\r\nHost: internal-service

MITRE ATT&CK Mapping

  • T1190 – Exploit Public-Facing Application
  • T1046 – Network Service Discovery
  • T1071.001 – Application Layer Protocol: Web Protocols
  • T1090 – Proxy
  • T1005 – Data from Local System

Detection & Monitoring

What to Look For

  • Outbound HTTP requests containing:
    • \r or \n in header values
    • Multiple Host headers
    • Unexpected Content-Length changes
  • Internal IPs appearing in outbound traffic
  • Backend services making requests they normally never make
  • HTTP logs showing malformed or duplicated headers

Recommended Log Sources

  • Application debug logs (HTTP client logs)
  • Reverse proxy logs (NGINX, Apache)
  • WAF logs
  • Network firewall egress logs
  • Cloud VPC flow logs
  • Service mesh telemetry (if applicable)

Detection Rules

  • Alert on outbound HTTP requests where:
    • Header values contain CR/LF characters
    • Multiple HTTP requests appear in a single TCP stream
    • Requests target link-local or private IP ranges
  • Flag unusual Host header overrides
  • Monitor sudden access to cloud metadata endpoints

Mitigation & Remediation

Immediate Actions

  • Upgrade cpp-httplib to version 0.30.0 or later
  • Reject or sanitize CR (\r) and LF (\n) characters in all user-controlled headers
  • Avoid passing raw user input directly into HTTP headers
  • Disable HTTP/1.1 pipelining where not required

Official Patch

The issue is fully fixed in cpp-httplib v0.30.0, where header values are validated and CR/LF characters are rejected before writing headers to the request stream.

Official Patch Link:
https://github.com/yhirose/cpp-httplib/releases/tag/v0.30.0

Final Notes

This vulnerability is easy to overlook because it exists in a low-level helper library—but its impact can be severe when used in modern microservices or cloud environments.
If your application sends HTTP requests on behalf of users, this bug should be treated as high priority.

Upgrading is straightforward and strongly recommended.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.