SB2026042436 - Information disclosure in Cpp-httplib

Description

This security bulletin contains information about 1 vulnerability.

1) Information disclosure (CVE-ID: CVE-2026-33745)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose sensitive credentials to an unauthorized host.

The vulnerability exists due to exposure of sensitive information to an unauthorized actor in ClientImpl::redirect() and redirect credential handling when following cross-origin HTTP redirects. A remote attacker can trigger a redirect to an attacker-controlled host to disclose sensitive credentials to an unauthorized host.

Requests are affected when redirect following is enabled and stored Basic Auth, Bearer Token, or Digest Auth credentials are configured. Cross-origin redirects may also cause credentials to be sent after an HTTPS-to-HTTP downgrade.

Remediation

Install update from vendor's website.

References

• https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-6hrp-7fq9-3qv2
• https://github.com/advisories/GHSA-6hrp-7fq9-3qv2