Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 556
Alerts This Week
Warning Icon 1 556

openSUSE: cpp-httplib Exposed to IP Spoofing Log Pollution CVE-2026:20056-1

opensuse
Calendar Grey January 18, 2026
Dist Opensuse Esm H88
Critical security update for openSUSE addressing IP spoofing and log poisoning in cpp-httplib. Patch required.
An update that solves 2 vulnerabilities and has 2 bug fixes can now be installed.

Description

This update for cpp-httplib fixes the following issues:

- CVE-2025-66570: IP spoofing, log poisoning, and authorization bypass via header shadowing due to acceptance and

parsing of client-controlled injected HTTP headers in incoming requests (bsc#1254734).

- CVE-2025-66577: access and error log poisoning with spoofed client IPs due to unconditional acceptance of

client-controlled `X-Forwarded-For` and `X-Real-IP` headers (bsc#1254735).

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods

like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

zypper in -t patch openSUSE-Leap-16.0-150=1

Patch

Package List

- openSUSE Leap 16.0:

cpp-httplib-devel-0.22.0-160000.3.1

libcpp-httplib0_22-0.22.0-160000.3.1

References

* bsc#1254734

* bsc#1254735

References:

* https://www.suse.com/security/cve/CVE-2025-66570.html

* https://www.suse.com/security/cve/CVE-2025-66577.html

Severity
critical
Lowest
Low
Medium
High
Critical

Announcement ID: openSUSE-SU-2026:20056-1
Rating: critical
Affected Products: openSUSE Leap 16.0 -------------------------------------------------------------

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.