An update for cpp-httplib is now available for openEuler-24.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2026-1158 Final 1.0 1.0 2026-01-16 Initial 2026-01-16 2026-01-16 openEuler SA Tool V1.0 2026-01-16 cpp-httplib security update An update for cpp-httplib is now available for openEuler-24.03-LTS A C++11 single-file header-only cross platform HTTP/HTTPS library. It's extremely easy to setup. Just include httplib.h file in your code! Security Fix(es): cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.0, the ``write_headers`` function does not check for CR & LF characters in user supplied headers, allowing untrusted header value to escape header lines. This vulnerability allows attackers to add extra headers, modify request body unexpectedly & trigger an SSRF attack. When combined with a server that supports http1.1 pipelining (springboot, python twisted etc), this can be used for server side request forgery (SSRF). Version 0.30.0 fixes this issue.(CVE-2026-21428) cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.1, a Denial of Service (DoS) vulnerability exists due to the unsafe handling of compressed HTTP request bodies (Content-Encoding: gzip, br, etc.). The library validates the payload_max_length against the compressed data size received from the network, but does not limit the size of the decompressed data stored in memory. An attacker can exploit this by sending a compressed payload with a very high compression ratio (e.g., a zip bomb), which upon decompression consumes excessive memory, leading to service unavailability.(CVE-2026-22776) An update for cpp-httplib is now available for master/openEuler-22.03-LTS-SP3/openEuler-22.03-LTS-SP4/openEuler-24.03-LTS/openEuler-24.03-LTS-Next/openEuler-24.03-LTS-SP1/openEuler-24.03-LTS-SP2/openEuler-24.03-LTS-SP3. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High cpp-httplib https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1158 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-21428 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-22776 https://nvd.nist.gov/vuln/detail/CVE-2026-21428 https://nvd.nist.gov/vuln/detail/CVE-2026-22776 openEuler-24.03-LTS cpp-httplib-0.30.1-1.oe2403.src.rpm cpp-httplib-0.30.1-1.oe2403.x86_64.rpm cpp-httplib-debuginfo-0.30.1-1.oe2403.x86_64.rpm cpp-httplib-debugsource-0.30.1-1.oe2403.x86_64.rpm cpp-httplib-devel-0.30.1-1.oe2403.x86_64.rpm cpp-httplib-0.30.1-1.oe2403.aarch64.rpm cpp-httplib-debuginfo-0.30.1-1.oe2403.aarch64.rpm cpp-httplib-debugsource-0.30.1-1.oe2403.aarch64.rpm cpp-httplib-devel-0.30.1-1.oe2403.aarch64.rpm cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.0, the ``write_headers`` function does not check for CR & LF characters in user supplied headers, allowing untrusted header value to escape header lines. This vulnerability allows attackers to add extra headers, modify request body unexpectedly & trigger an SSRF attack. When combined with a server that supports http1.1 pipelining (springboot, python twisted etc), this can be used for server side request forgery (SSRF). Version 0.30.0 fixes this issue. 2026-01-16 CVE-2026-21428 openEuler-24.03-LTS High 7.7 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X cpp-httplib security update 2026-01-16 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1158 cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.1, a Denial of Service (DoS) vulnerability exists due to the unsafe handling of compressed HTTP request bodies (Content-Encoding: gzip, br, etc.). The library validates the payload_max_length against the compressed data size received from the network, but does not limit the size of the decompressed data stored in memory. An attacker can exploit this by sending a compressed payload with a very high compression ratio (e.g., a zip bomb), which upon decompression consumes excessive memory, leading to service unavailability. 2026-01-16 CVE-2026-22776 openEuler-24.03-LTS High 8.7 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X cpp-httplib security update 2026-01-16 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1158