{
  "claim": {
    "argus_claim_ref": null,
    "attacker_control": null,
    "claimed_surface": "library_api",
    "expected_impact": null,
    "finding_id": null,
    "id": null,
    "required_entrypoint_detail": null,
    "required_entrypoint_kind": "function_call",
    "submission_reason": "ticket_derived",
    "trigger_class": null,
    "upstream_verdicts": null
  },
  "latest_description": "CRITICAL: HTTP Request Smuggling Vulnerability in cpp-httplib\n\n## Overview\ncpp-httplib (16.3k+ GitHub stars) is vulnerable to HTTP Request Smuggling in versions ≤0.38.0. The server's static file handler serves GET responses WITHOUT consuming the request body, leaving body bytes on the TCP stream to be interpreted as a new HTTP request on keep-alive connections.\n\n## Root Cause Analysis\n\n**Primary Issue - Unconsumed Request Body:**\nIn Server::routing() at line 11587-11589, when a GET request matches a static file mount point, handle_file_request() returns true immediately. The expect_content() check at line 11592 (which would read the body) is never reached.\n\nAfter serving the response, process_server_socket_core() (line 5629) reuses the keep-alive connection. The unread body bytes remain in the TCP buffer, and the next process_request() reads these body bytes as a new request line.\n\n**Secondary Issue - CL+TE Header Acceptance:**\nAt line 7249-7286, when both Transfer-Encoding: chunked and Content-Length are present, the server uses chunked encoding and silently ignores Content-Length, violating RFC 9112 §6.3.\n\n## Exploitation Steps\n\n1. Build vulnerable server:\n   git clone --branch v0.39.0 https://github.com/yhirose/cpp-httplib.git\n   cd cpp-httplib\n   g++ -o test_server -O2 -std=c++11 -I. -Wall -Wextra -pthread example/simplesvr.cc\n   mkdir -p /tmp/test_root && echo '<h1>Test</h1>' > /tmp/test_root/index.html\n   ./test_server 8787 /tmp/test_root\n\n2. Send smuggled request:\n   Outer GET /index.html with Content-Length set to smuggled request size\n   Body contains smuggled GET /admin HTTP/1.1 request\n   Server processes both on keep-alive connection!\n\n## Impact\n- Request Smuggling: Arbitrary HTTP requests on keep-alive connections\n- Access Control Bypass: Smuggled requests bypass proxy-level auth\n- Cache Poisoning: Smuggled responses cached for wrong URLs\n- Request Hijacking: Behind reverse proxy, smuggled request paired with other user's request\n\n## Affected Versions\n- ≤0.38.0: Vulnerable\n- 0.40.0: Patched\n\n## Blast Radius\n- 16,300+ GitHub stars\n- 2,700+ forks\n- Header-only library embedded in countless C++ applications",
  "product": "cpp-httplib",
  "severity": "high",
  "status": "open",
  "summary": "cpp-httplib HTTP Request Smuggling via Unconsumed GET Request Body",
  "ticket_id": "CVE-2026-34441"
}