Critical Gakido Vulnerability Allows Attackers to Bypass Security Controls
A significant security flaw has been identified in Gakido, an HTTP client library developed by HappyHackingSpace. This vulnerability enables attackers to inject arbitrary HTTP headers using Carriage Return Line Feed (CRLF) sequences, potentially compromising server-side security measures.
Vulnerability Details
Designated as CVE-2026-24489 and detailed in advisory RO-26-005, this medium-severity vulnerability affects all Gakido versions prior to 0.1.1-1bc6019. The issue resides in the library’s header processing mechanism, specifically within the `canonicalize_headers()` function located in `gakido/headers.py`.
When applications pass user-controlled header values containing CRLF sequences (`\r\n`), line feed characters (`\n`), or null bytes (`\x00`) to Gakido’s request methods, these characters are not adequately sanitized before being included in HTTP requests. This oversight allows attackers to inject unauthorized HTTP headers into legitimate requests, undermining the integrity of HTTP communications.
Potential Exploits
Exploitation of this vulnerability can lead to several malicious activities:
– Unauthorized Header Injection: Attackers can add headers to requests without authorization, potentially altering the behavior of the target server.
– HTTP Response Manipulation: By injecting headers into proxy configurations, attackers can modify HTTP responses, leading to misinformation or further exploitation.
– Cache Poisoning: Inserting cache-control-related headers can corrupt intermediate caches, causing the delivery of outdated or malicious content to users.
– Session Fixation: Injecting session-related headers may allow attackers to bypass server-side security controls, granting unauthorized access to protected resources.
This vulnerability is particularly concerning in scenarios where applications accept user input for HTTP headers without proper validation. A proof of concept illustrates the ease of exploitation:
“`python
# Before fix: X-Injected header would be sent as a separate header
c = Client(impersonate=chrome_120)
r = c.get(https://httpbin.org/headers, headers={
User-Agent: test\r\nX-Injected: pwned
})
“`
In this example, by creating a Gakido client with impersonation enabled and supplying a User-Agent header containing CRLF sequences followed by a malicious X-Injected header, an attacker can successfully inject unauthorized headers into HTTP requests processed by the library.
Timeline and Response
– January 25, 2026: The vulnerability was reported.
– January 27, 2026: Public disclosure occurred, providing limited time for the development team to address the issue before it became widely known.
In response, the security team promptly released patch version 0.1.1-1bc6019, available through the project’s GitHub repository.
Recommendations
Users of Gakido are strongly advised to upgrade to the patched version immediately to mitigate the risk of header injection attacks. Organizations utilizing Gakido in production environments should prioritize this update, especially those handling sensitive HTTP communications or applications that accept user-supplied header values.
This incident underscores the critical importance of input sanitization in HTTP client libraries and serves as a reminder for security researchers to exercise caution when working with external libraries that handle network communication primitives.
For additional technical details and the complete fix implementation, refer to the official GitHub advisory (GHSA-gcgx-chcp-hxp9) and the corresponding commit (369c67e) in the repository.
