Gakido - CRLF Injection
Advisory ID: RO-26-005
CVE ID: CVE-2026-24489
Severity: Medium
Vendor: HappyHackingSpace
Product: Gakido
Version: < 0.1.1-1bc6019


Overview #

A vulnerability was discovered in Gakido that allowed HTTP header injection through CRLF (Carriage Return Line Feed) sequences in user-supplied header values and names.


Vulnerability Details #

When making HTTP requests with user-controlled header values containing \r\n (CRLF), \n (LF), or \x00 (null byte) characters, an attacker could inject arbitrary HTTP headers into the request.

Affected Code: The vulnerability existed in the header processing logic where user-supplied headers were not sanitized before being sent in HTTP requests.

    File: gakido/headers.py
    Function: canonicalize_headers()

Impact #

An attacker who can control header values passed to Gakido's Client.get(), Client.post(), or other request methods could:

    Inject arbitrary HTTP headers - Add malicious headers to requests
    HTTP Response Splitting - Potentially manipulate responses in certain proxy configurations
    Cache Poisoning - Inject headers that could poison intermediate caches
    Session Fixation - Inject session-related headers
    Bypass Security Controls - Inject headers that bypass server-side security checks

Proof of Concept #

from gakido import Client

# Before fix: X-Injected header would be sent as a separate header
c = Client(impersonate="chrome_120")
r = c.get("https://httpbin.org/headers", headers={
    "User-Agent": "test\r\nX-Injected: pwned"
})



References #

    GHSA-gcgx-chcp-hxp9
    Fix Commit (369c67e)
    Release v0.1.1-1bc6019

Timeline:

    [2026-01-25] - Reported
    [2026-01-27] - Published

Credits: Omar Kurt