Gakido CRLF Injection

Gakido CRLF Injection

Gakido - CRLF Injection
Advisory ID: RO-26-005
CVE ID: CVE-2026-24489
Severity: Gakido CRLF Injection

Gakido - CRLF Injection
Advisory ID: RO-26-005
CVE ID: CVE-2026-24489
Severity: Medium
Vendor: HappyHackingSpace
Product: Gakido
Version: < 0.1.1-1bc6019


Overview #

A vulnerability was discovered in Gakido that allowed HTTP header injection through CRLF (Carriage Return Line Feed) sequences in user-supplied header values and names.


Vulnerability Details #

When making HTTP requests with user-controlled header values containing \r\n (CRLF), \n (LF), or \x00 (null byte) characters, an attacker could inject arbitrary HTTP headers into the request.

Affected Code: The vulnerability existed in the header processing logic where user-supplied headers were not sanitized before being sent in HTTP requests.

File: gakido/headers.py
Function: canonicalize_headers()

Impact #

An attacker who can control header values passed to Gakido's Client.get(), Client.post(), or other request methods could:

Inject arbitrary HTTP headers - Add malicious headers to requests
HTTP Response Splitting - Potentially manipulate responses in certain proxy configurations
Cache Poisoning - Inject headers that could poison intermediate caches
Session Fixation - Inject session-related headers
Bypass Security Controls - Inject headers that bypass server-side security checks

Proof of Concept #

from gakido import Client

# Before fix: X-Injected header would be sent as a separate header
c = Client(impersonate="chrome_120")
r = c.get("https://httpbin.org/headers", headers={
"User-Agent": "test\r\nX-Injected: pwned"
})



References #

GHSA-gcgx-chcp-hxp9
Fix Commit (369c67e)
Release v0.1.1-1bc6019

Timeline:

[2026-01-25] - Reported
[2026-01-27] - Published

Credits: Omar Kurt