Advisory ID: RO-26-005 CVE ID: CVE-2026-24489 Severity: Medium Vendor: HappyHackingSpace Product: Gakido Version: < 0.1.1-1bc6019 Overview # A vulnerability was discovered in Gakido that allowed HTTP header injection through CRLF (Carriage Return Line Feed) sequences in user-supplied header values and names. Vulnerability Details # When making HTTP requests with user-controlled header values containing \r\n (CRLF), \n (LF), or \x00 (null byte) characters, an attacker could inject arbitrary HTTP headers into the request. Affected Code: The vulnerability existed in the header processing logic where user-supplied headers were not sanitized before being sent in HTTP requests. File: gakido/headers.py Function: canonicalize_headers() Impact # An attacker who can control header values passed to Gakido's Client.get() , Client.post() , or other request methods could: Inject arbitrary HTTP headers - Add malicious headers to requests HTTP Response Splitting - Potentially manipulate responses in certain proxy configurations Cache Poisoning - Inject headers that could poison intermediate caches Session Fixation - Inject session-related headers Bypass Security Controls - Inject headers that bypass server-side security checks Proof of Concept # from gakido import Client # Before fix: X-Injected header would be sent as a separate header c = Client ( impersonate = "chrome_120" ) r = c . get ( "https://httpbin.org/headers" , headers = { "User-Agent" : "test\r\nX-Injected: pwned" } ) References # GHSA-gcgx-chcp-hxp9 Fix Commit (369c67e) Release v0.1.1-1bc6019 Timeline: [2026-01-25] - Reported [2026-01-27] - Published Credits: Omar Kurt