REPRO-2026-00127 HIGH Request Smuggling Verified

cpp-httplib HTTP Request Smuggling via Unconsumed GET Request Body

yhirose/cpp-httplib (github) Apr 4, 2026

Open in Codespaces Download Script Download Variant Script

Confidence HIGH

Reproduced in 61m 29s

Tool calls 300

Affected <=0.38.0 per GHSA metadata

Fixed in 0.40.0

What's the vulnerability?

cpp-httplib (16.3k+ GitHub stars) is vulnerable to HTTP Request Smuggling in versions ≤0.38.0. The server's static file handler serves GET responses WITHOUT consuming the request body, leaving body bytes on the TCP stream to be interpreted as a new HTTP request on keep-alive connections.

Root Cause Analysis

Variant Analysis

Bypass and alternate trigger exploration (if present).

One Command

Verify with pruva-verify

Run the Pruva CLI to automatically fetch and execute the reproduction script.

pruva-verify REPRO-2026-00127

or pruva-verify CVE-2026-34441

Install: curl -fsSL https://pruva.dev/install.sh | sh

Or Run Manually

1

Download the script

curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00127/artifacts/repro/reproduction_steps.sh

2

Make executable

chmod +x reproduction_steps.sh

3

Run the script

./reproduction_steps.sh

Run in a VM, container, or disposable environment. This exploits a real vulnerability.

How Pruva Reproduced This

Watch the AI agent's step-by-step process.

Loading session...

Artifacts

repro/rca_report.md4.4 KB

repro/reproduction_steps.sh9.7 KB

vuln_variant/rca_report.md8.1 KB

vuln_variant/reproduction_steps.sh16.6 KB

bundle/ticket.json2.7 KB

bundle/AGENTS.repro.md0.8 KB

bundle/ticket.md2.3 KB

repro/artifacts/python_request.raw0.2 KB

repro/artifacts/exploit_result.json0.4 KB

repro/artifacts/smuggle_response.raw0.2 KB

repro/artifacts/server_v0.40.0.log0.0 KB

repro/artifacts/build_vuln.log0.0 KB

repro/artifacts/test_fixed556.5 KB

repro/artifacts/build_fixed.log0.0 KB

repro/artifacts/library_test.cpp5.5 KB

repro/artifacts/test_vuln554.3 KB

repro/artifacts/server_v0.38.0.log0.0 KB

repro/artifacts/response_v0.38.0.bin0.4 KB

repro/artifacts/final_results.json0.3 KB

repro/artifacts/response_v0.40.0.bin0.2 KB

repro/artifacts/request_hex.txt0.8 KB

repro/artifacts/payload_v0.38.0.bin0.1 KB

repro/artifacts/result_v0.40.0.json0.2 KB

repro/artifacts/response.raw0.2 KB

repro/artifacts/output_vuln.txt0.6 KB

repro/artifacts/result_v0.38.0.json0.2 KB

repro/artifacts/server.log0.0 KB

repro/artifacts/output_fixed.txt0.6 KB

repro/artifacts/smuggle_request.raw0.2 KB

repro/artifacts/payload_v0.40.0.bin0.1 KB

repro/artifacts/results.json0.3 KB

repro/artifacts/request.raw0.2 KB

repro/runtime_manifest.json0.8 KB

repro/validation_verdict.json0.7 KB

vuln_variant/variant_manifest.json2.0 KB

vuln_variant/source_identity.json1.0 KB

vuln_variant/patch_analysis.md6.3 KB

vuln_variant/validation_verdict.json2.1 KB

logs/vuln_variant/server_v0.38.0_v5_http10.log0.0 KB

logs/vuln_variant/result_v0.40.0_v3_head.json0.1 KB

logs/vuln_variant/payload_v0.38.0_v4_oversized.log0.0 KB

logs/vuln_variant/test_run.log2.7 KB

logs/vuln_variant/server_v0.40.0_v3_head.log0.0 KB

logs/vuln_variant/server_v0.38.0_v4_oversized.log0.0 KB

logs/vuln_variant/result_v0.38.0_v5_http10.json0.1 KB

logs/vuln_variant/result_v0.40.0_v4_oversized.json0.1 KB

logs/vuln_variant/result_v0.40.0_v2_cl_te.json0.1 KB

logs/vuln_variant/payload_v0.38.0_v2_cl_te.log0.2 KB

logs/vuln_variant/result_v0.38.0_v3_head.json0.1 KB

logs/vuln_variant/result_v0.38.0_v2_cl_te.json0.1 KB

logs/vuln_variant/payload_v0.38.0_v1_get_baseline.log0.1 KB

logs/vuln_variant/payload_v0.38.0_v5_http10.log0.0 KB

logs/vuln_variant/payload_v0.40.0_v2_cl_te.log0.2 KB

logs/vuln_variant/payload_v0.40.0_v1_get_baseline.log0.0 KB

logs/vuln_variant/payload_v0.40.0_v5_http10.log0.0 KB

logs/vuln_variant/final_variant_results.json0.6 KB

logs/vuln_variant/result_v0.38.0_v4_oversized.json0.1 KB

logs/vuln_variant/result_v0.38.0_v1_get_baseline.json0.1 KB

logs/vuln_variant/server_v0.38.0_v1_get_baseline.log0.1 KB

logs/vuln_variant/payload_v0.40.0_v3_head.log0.0 KB

logs/vuln_variant/server_v0.40.0_v4_oversized.log0.0 KB

logs/vuln_variant/server_v0.40.0_v1_get_baseline.log0.0 KB

logs/vuln_variant/build_v0.38.0.log0.0 KB

logs/vuln_variant/server_v0.40.0_v5_http10.log0.0 KB

logs/vuln_variant/server_v0.40.0_v2_cl_te.log0.0 KB

logs/vuln_variant/server_v0.38.0_v2_cl_te.log0.0 KB

logs/vuln_variant/result_v0.40.0_v5_http10.json0.1 KB

logs/vuln_variant/result_v0.40.0_v1_get_baseline.json0.1 KB

logs/vuln_variant/payload_v0.38.0_v3_head.log0.1 KB

logs/vuln_variant/payload_v0.40.0_v4_oversized.log0.0 KB

logs/vuln_variant/server_v0.38.0_v3_head.log0.1 KB

logs/vuln_variant/build_v0.40.0.log0.0 KB