CVE-2026-32627

{"id": "CVE-2026-32627", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 2.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.2}]}, "published": "2026-03-16T14:19:40.270", "references": [{"url": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-c3h8-fqq4-xm4g", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-295"}]}], "descriptions": [{"lang": "en", "value": "cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.37.2, when a cpp-httplib client is configured with a proxy and set_follow_location(true), any HTTPS redirect it follows will have TLS certificate and hostname verification silently disabled on the new connection. The client will accept any certificate presented by the redirect target \u2014 expired, self-signed, or forged \u2014 without raising an error or notifying the application. A network attacker in a position to return a redirect response can fully intercept the follow-up HTTPS connection, including any credentials or session tokens in flight. This vulnerability is fixed in 0.37.2."}, {"lang": "es", "value": "cpp-httplib es una biblioteca HTTP/HTTPS multiplataforma de C++11 de un solo archivo de cabecera. Antes de 0.37.2, cuando un cliente cpp-httplib est\u00e1 configurado con un proxy y set_follow_location(true), cualquier redirecci\u00f3n HTTPS que siga tendr\u00e1 la verificaci\u00f3n de certificado TLS y de nombre de host silenciosamente deshabilitada en la nueva conexi\u00f3n. El cliente aceptar\u00e1 cualquier certificado presentado por el objetivo de redirecci\u00f3n \u2014 caducado, autofirmado o falsificado \u2014 sin generar un error o notificar a la aplicaci\u00f3n. Un atacante de red en posici\u00f3n de devolver una respuesta de redirecci\u00f3n puede interceptar completamente la conexi\u00f3n HTTPS de seguimiento, incluyendo cualquier credencial o tokens de sesi\u00f3n en tr\u00e1nsito. Esta vulnerabilidad est\u00e1 corregida en 0.37.2."}], "lastModified": "2026-03-17T19:08:44.583", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:yhirose:cpp-httplib:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "41B98CDE-3EAB-4DFB-9B9C-536C21640B8C", "versionEndExcluding": "0.37.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}