Platform
cpp
Component
cpp-httplib
Fixed in
0.39.1
CVE-2026-33745 is a high-severity vulnerability affecting cpp-httplib versions up to 0.39.0. This vulnerability allows attackers to intercept plaintext authentication credentials (Basic Auth, Bearer Token, and Digest Auth) when the client follows cross-origin HTTP redirects. The vulnerability stems from the library's forwarding of these credentials to arbitrary hosts, potentially exposing sensitive information to malicious actors.
An attacker can exploit this vulnerability by crafting a malicious HTTP redirect response. This could be achieved through a compromised server or by manipulating a legitimate server's response. When a client using cpp-httplib follows this redirect, the Authorization header containing the credentials is sent to the attacker-controlled host in plaintext. This allows the attacker to steal usernames, passwords, and other authentication tokens. The potential impact is significant, as compromised credentials can grant attackers access to sensitive data and systems. This vulnerability shares similarities with other credential leakage issues where improper handling of authentication headers leads to exposure.
CVE-2026-33745 was publicly disclosed on 2026-03-27. There is no indication of active exploitation at this time, and it is not currently listed on the CISA KEV catalog. Public proof-of-concept (POC) code is not yet available, but the vulnerability's nature makes it likely that a POC will be developed. The EPSS score is likely to be assessed as medium due to the potential for credential theft and the relatively straightforward exploitation path.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33745 is to upgrade to cpp-httplib version 0.39.0 or later, which includes a fix for this issue. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) or proxy to inspect and block suspicious HTTP redirects. Configure the WAF to specifically look for redirects to unexpected or untrusted domains. Additionally, review your application's code to ensure that it validates and sanitizes HTTP redirects before following them. After upgrading, confirm the fix by sending a request with authentication credentials through a redirect and verifying that the credentials are not exposed in the Authorization header of the subsequent request.
Update the cpp-httplib library to version 0.39.0 or higher. This will prevent authentication credentials from being leaked to untrusted hosts when following cross-origin HTTP redirects. The update corrects the vulnerability that allows a malicious server to redirect the client to an attacker-controlled host, exposing credentials in the `Authorization` header.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33745 is a high-severity vulnerability in cpp-httplib versions up to 0.39.0 that allows attackers to intercept plaintext credentials via HTTP redirects.
You are affected if you are using cpp-httplib versions prior to 0.39.0 and your application follows HTTP redirects.
Upgrade to cpp-httplib version 0.39.0 or later to resolve the vulnerability. Consider WAF rules as an interim measure.
There is currently no indication of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the cpp-httplib project's repository or website for the official advisory and release notes.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.