📄 Gakido CRLF Injection

Gakido - CRLF Injection
    Advisory ID: RO-26-005
    CVE ID: CVE-2026-24489
    Severity: Medium
    Vendor: HappyHackingSpace
    Product: Gakido
    Version: < 0.1.1-1bc6019
    
    
    Overview #
    
    A vulnerability was discovered in Gakido that allowed HTTP header injection through CRLF (Carriage Return Line Feed) sequences in user-supplied header values and names.
    
    
    Vulnerability Details #
    
    When making HTTP requests with user-controlled header values containing \r\n (CRLF), \n (LF), or \x00 (null byte) characters, an attacker could inject arbitrary HTTP headers into the request.
    
    Affected Code: The vulnerability existed in the header processing logic where user-supplied headers were not sanitized before being sent in HTTP requests.
    
        File: gakido/headers.py
        Function: canonicalize_headers()
    
    Impact #
    
    An attacker who can control header values passed to Gakido's Client.get(), Client.post(), or other request methods could:
    
        Inject arbitrary HTTP headers - Add malicious headers to requests
        HTTP Response Splitting - Potentially manipulate responses in certain proxy configurations
        Cache Poisoning - Inject headers that could poison intermediate caches
        Session Fixation - Inject session-related headers
        Bypass Security Controls - Inject headers that bypass server-side security checks
    
    Proof of Concept #
    
    from gakido import Client
    
    # Before fix: X-Injected header would be sent as a separate header
    c = Client(impersonate="chrome_120")
    r = c.get("https://httpbin.org/headers", headers={
        "User-Agent": "test\r\nX-Injected: pwned"
    })
    
    
    
    References #
    
        GHSA-gcgx-chcp-hxp9
        Fix Commit (369c67e)
        Release v0.1.1-1bc6019
    
    Timeline:
    
        [2026-01-25] - Reported
        [2026-01-27] - Published
    
    Credits: Omar Kurt