Aikido Intel
Secure My Code
Intel

AIKIDO-2026-10402

yhirose.cpp-httplib is vulnerable to Path Traversal

Path Traversal Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Mar 19, 2026

75

High Risk

This Affects:

C++yhirose.cpp-httplib
0.0.1 - 0.37.2
Fixed in 0.38.0
Are you affected? Scan for Free

TL;DR

The static file server follows symlinks when serving files; a symlink inside the mounted directory that points outside the mount can be used to read arbitrary files (directory traversal). The library also did not provide a dedicated filename sanitizer for multipart uploads—applications that write uploaded files using the client-supplied filename without sanitization can write outside the intended directory. In this fix the static file server resolves paths and returns 403 when the resolved path is outside the mount, and sanitize_filename() was added so multipart handlers can safely derive a basename from untrusted filenames.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

yhirose.cpp-httplib is vulnerable to Path Traversal in versions 0.0.1 - 0.37.2.

How to fix this

Upgrade the yhirose.cpp-httplib library to the patch version.

Links

Are You Affected?

Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.

Scan for Free
Book a Demo

Free. No credit card required.

Aikido Platform
Subscribe
Stay up to date with all updates
LinkedIn YouTube X
© 2026 Aikido Security BV | BE0792914919
Ghent, Belgium | San Francisco, US
SOC 2SOC 2Compliant
ISO 27001ISO 27001Compliant
Get Security Done