{"id":"CVE-2025-0825","details":"cpp-httplib version v0.17.3 through v0.18.3 fails to filter CRLF characters (\"\\r\\n\") when those are prefixed with a null byte. This enables attackers to exploit CRLF injection that could further lead to HTTP Response Splitting, XSS, and more.","modified":"2026-04-12T17:35:44.042426Z","published":"2025-02-04T15:15:19.420Z","references":[{"type":"FIX","url":"https://github.com/yhirose/cpp-httplib/commit/9c36aae4b73e2b6e493f4133e4173103c9266289"},{"type":"EVIDENCE","url":"https://advisory.checkmarx.net/advisory/CVE-2025-0825/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/yhirose/cpp-httplib","events":[{"introduced":"61c418048d8b0e42cc55e908c1c2da1e2f617f86"},{"fixed":"54f8a4d0f34acb3cc508e337d9881296b70201ad"},{"fixed":"9c36aae4b73e2b6e493f4133e4173103c9266289"}],"database_specific":{"versions":[{"introduced":"0.17.3"},{"fixed":"0.18.4"}]}}],"versions":["v0.17.3","v0.18.0","v0.18.1","v0.18.2","v0.18.3"],"database_specific":{"vanir_signatures_modified":"2026-04-12T17:35:44Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-0825.json","vanir_signatures":[{"digest":{"function_hash":"277590819831059525472533281089288552273","length":198},"source":"https://github.com/yhirose/cpp-httplib/commit/9c36aae4b73e2b6e493f4133e4173103c9266289","signature_version":"v1","id":"CVE-2025-0825-2d71384a","deprecated":false,"target":{"function":"Request::set_header","file":"httplib.h"},"signature_type":"Function"},{"digest":{"threshold":0.9,"line_hashes":["260809132634571723839772955850142221824","319534684125098744198272177949270052092","96823469935756260405829661134819320602"]},"source":"https://github.com/yhirose/cpp-httplib/commit/9c36aae4b73e2b6e493f4133e4173103c9266289","signature_version":"v1","id":"CVE-2025-0825-9cbcc937","deprecated":false,"target":{"file":"test/test.cc"},"signature_type":"Line"},{"digest":{"function_hash":"282002448680622989766430596597376481670","length":199},"source":"https://github.com/yhirose/cpp-httplib/commit/9c36aae4b73e2b6e493f4133e4173103c9266289","signature_version":"v1","id":"CVE-2025-0825-b1762a9f","deprecated":false,"target":{"function":"Response::set_header","file":"httplib.h"},"signature_type":"Function"},{"digest":{"threshold":0.9,"line_hashes":["122865845419926169633108976348119279437","98933187978073131876729465628352425928","135424939433162493096086386300940917929","238031900777529823881172876332142156481","13103752831172150952358981631739970420","294716977488620022515304112326686077489","276027594476214969815632879869087700889","235224613071864695515402239674036034424","65652300073549646086793421028308367337","294716977488620022515304112326686077489","276027594476214969815632879869087700889","279196033155740987593201962810448484335","315534572009822831089630188210732145852","310443426124241150645112224040646570913","294204733884467423012074930542100496786","298508178807259458117828438646272216561"]},"source":"https://github.com/yhirose/cpp-httplib/commit/9c36aae4b73e2b6e493f4133e4173103c9266289","signature_version":"v1","id":"CVE-2025-0825-c968b88a","deprecated":false,"target":{"file":"httplib.h"},"signature_type":"Line"},{"digest":{"function_hash":"4183272750077159462135840059502598777","length":271},"source":"https://github.com/yhirose/cpp-httplib/commit/9c36aae4b73e2b6e493f4133e4173103c9266289","signature_version":"v1","id":"CVE-2025-0825-d0c62d47","deprecated":false,"target":{"function":"Response::set_redirect","file":"httplib.h"},"signature_type":"Function"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}]}