# CVE-2026-34441 ## Summary cpp-httplib HTTP Request Smuggling via Unconsumed GET Request Body ## Description CRITICAL: HTTP Request Smuggling Vulnerability in cpp-httplib ## Overview cpp-httplib (16.3k+ GitHub stars) is vulnerable to HTTP Request Smuggling in versions ≤0.38.0. The server's static file handler serves GET responses WITHOUT consuming the request body, leaving body bytes on the TCP stream to be interpreted as a new HTTP request on keep-alive connections. ## Root Cause Analysis **Primary Issue - Unconsumed Request Body:** In Server::routing() at line 11587-11589, when a GET request matches a static file mount point, handle_file_request() returns true immediately. The expect_content() check at line 11592 (which would read the body) is never reached. After serving the response, process_server_socket_core() (line 5629) reuses the keep-alive connection. The unread body bytes remain in the TCP buffer, and the next process_request() reads these body bytes as a new request line. **Secondary Issue - CL+TE Header Acceptance:** At line 7249-7286, when both Transfer-Encoding: chunked and Content-Length are present, the server uses chunked encoding and silently ignores Content-Length, violating RFC 9112 §6.3. ## Exploitation Steps 1. Build vulnerable server: git clone --branch v0.39.0 https://github.com/yhirose/cpp-httplib.git cd cpp-httplib g++ -o test_server -O2 -std=c++11 -I. -Wall -Wextra -pthread example/simplesvr.cc mkdir -p /tmp/test_root && echo '

Test

' > /tmp/test_root/index.html ./test_server 8787 /tmp/test_root 2. Send smuggled request: Outer GET /index.html with Content-Length set to smuggled request size Body contains smuggled GET /admin HTTP/1.1 request Server processes both on keep-alive connection! ## Impact - Request Smuggling: Arbitrary HTTP requests on keep-alive connections - Access Control Bypass: Smuggled requests bypass proxy-level auth - Cache Poisoning: Smuggled responses cached for wrong URLs - Request Hijacking: Behind reverse proxy, smuggled request paired with other user's request ## Affected Versions - ≤0.38.0: Vulnerable - 0.40.0: Patched ## Blast Radius - 16,300+ GitHub stars - 2,700+ forks - Header-only library embedded in countless C++ applications ## Metadata - Product: cpp-httplib - Severity: high - Status: open