# Update to 0.48.0 (rhbz#2481109) ## Security fixes - Complete the IP-host certificate identity fix from v0.47.0 for the Mbed TLS and wolfSSL backends. An IP-literal host is now authenticated only via a matching iPAddress SAN, never via the certificate's Common Name (RFC 9110) — matching what the OpenSSL backend already enforces through X509_check_ip. Previously these backends fell back to the CN when no IP SAN matched, and recognized IPv4 only; now IPv6 (16-byte) iPAddress SANs are matched as well, and the CN fallback is skipped for both IPv4 and IPv6 literal hosts (#2476) ## Improvements - Replace the strtod-based from_chars for double with a hand-written, locale-independent parser. The only double parsed by the library is the HTTP quality value; strtod reads the decimal separator from the global C locale, so an embedder calling setlocale(LC_ALL, "") into a comma-decimal locale would mis-parse q-values. The new parser always treats . as the decimal separator and is allocation-free (Fix #2475) - Fix OpenSSL 4.0 deprecation warnings: fetch CA store objects via the thread-safe X509_STORE_get1_objects() (OpenSSL 3.3+) and extract the subject CN via X509_NAME_get_index_by_NID()/X509_NAME_get_entry() instead of the deprecated X509_STORE_get0_objects() and X509_NAME_get_text_by_NID(). Older OpenSSL, BoringSSL, and LibreSSL keep using the get0 path. Verified warning-free against OpenSSL 4.0.1, 3.6.2, and 3.0 ## Behavior changes - decode_query_component() now uses strict hex parsing for percent-escapes, consistent with decode_uri_component() and decode_path_component(). A % followed by non-hex characters (e.g. a sign or whitespace such as %-1, %+5, % 5) is passed through literally instead of being accepted as a valid escape (#2472) Source: https://github.com/yhirose/cpp-httplib/releases/tag/v0.48.0 # Update to 0.47.0 (rhbz#2481109, CVE-2026-46527, CVE-2026-45372, CVE-2026-45352) ## Security fixes - Fix TLS certificate chain verification bypass for IP-literal hosts on the Mbed TLS and wolfSSL backends: with server certificate verification enabled, SSLClient skipped chain validation entirely (any untrusted certificate with a matching IP SAN was accepted), and WebSocketClient on Mbed TLS skipped verification altogether. Chain verification now stays enabled for IP hosts, and certificate identity is verified post-handshake against IP SANs on all backends. SNI is no longer sent for IP hosts on Mbed TLS and wolfSSL, per RFC 6066 ([CVE-2026-54919](https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-8ffh-4p95-g3p2)) ## New features - Add Server::set_start_handler(): a callback invoked when the server is ready to accept connections, useful when running the server in a background thread (#2467) - Add Client/SSLClient/WebSocketClient::enable_system_ca(bool) to opt into loading system CA certificates alongside a custom CA. The default is unchanged: a custom CA remains exclusive. The setting carries over to clients created for HTTPS redirects (#2471) - Add WebSocketClient::set_hostname_addr_map() to connect to a specific IP address while keeping the original hostname for the handshake and certificate verification (#2463) ## Behavior changes - The request body is now read after route matching and the pre-request handler, so both the regular handler and ContentReader paths behave the same: route matching → pre-request handler → body read → handler. A request rejected by the pre-request handler (e.g. failed per-route authentication via req.matched_route) no longer buffers the body at all. Note: code that referenced req.body or body-derived form fields inside the pre-request handler will now see an empty body; inspect headers, path, query parameters, or matched_route instead - WebSocketClient with a custom CA no longer merges system CA certificates (it previously always merged them). This matches SSLClient behavior; call enable_system_ca(true) to load system CA certificates alongside the custom CA - Range request headers are now ignored for streaming responses of unknown length instead of producing an invalid response (#2465) ## Bug fixes - Fix SSLClient::set_ca_cert_store() breaking custom-CA exclusivity: system CA certificates were silently merged into the user-provided store, broadening the trust set. Also fix Client::load_ca_cert_store() not carrying CA certificates over to clients created for HTTPS redirects - Fix WebSocketClient dropping the query string from the URL during the upgrade handshake, so query parameters (e.g. auth tokens) are sent (#2468) - Fix a use-after-free when reconnecting a WebSocketClient after set_ca_cert_store(), and a memory leak in the Mbed TLS and wolfSSL set_ca_cert_store() backends - Fix MSVC warning C4309 (truncation of constant value) in SHA padding code (#2464) - Cast to unsigned char before ctype calls in is_hex and is_token_char to avoid undefined behavior with negative char values (#2469) Source: https://github.com/yhirose/cpp-httplib/releases/tag/v0.47.0