CVE-2026-24489
Unknown Unknown - Not Provided
CRLF Injection in Gakido HTTP Client Allows Header Manipulation

Publication date: 2026-01-27

Last updated on: 2026-01-27

Assigner: GitHub, Inc.

Description
Gakido is a Python HTTP client focused on browser impersonation and anti-bot evasion. A vulnerability was discovered in Gakido prior to version 0.1.1 that allowed HTTP header injection through CRLF (Carriage Return Line Feed) sequences in user-supplied header values and names. When making HTTP requests with user-controlled header values containing `\r\n` (CRLF), `\n` (LF), or `\x00` (null byte) characters, an attacker could inject arbitrary HTTP headers into the request. The fix in version 0.1.1 adds a `_sanitize_header()` function that strips `\r`, `\n`, and `\x00` characters from both header names and values before they are included in HTTP requests.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-27
Last Modified
2026-01-27
Generated
2026-06-16
AI Q&A
2026-01-27
EPSS Evaluated
2026-06-14
NVD
CVE-2026-24489
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
happyhackingspace gakido to 0.1.1 (exc)
happyhackingspace gakido 0.1.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-113 The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.
CWE-93 The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-24489 is a vulnerability in the Gakido Python HTTP client where an attacker can inject arbitrary HTTP headers into requests by including special characters like CRLF (\r\n), LF (\n), or null bytes (\x00) in user-supplied header names or values. This happens because the library did not sanitize these characters before sending headers, allowing HTTP header injection and response splitting attacks. The issue was fixed by adding a sanitization function that removes these characters from headers before sending. [2, 3]

Impact Analysis

This vulnerability can allow attackers to inject arbitrary HTTP headers, leading to several impacts including HTTP response splitting, cache poisoning, session fixation, and bypassing server-side security controls. These impacts can manipulate how HTTP responses are processed by clients or intermediaries, potentially compromising the integrity of communications and security mechanisms. [2, 3]

Detection Guidance

Detection of this vulnerability involves monitoring HTTP requests made by the Gakido client for suspicious header values containing CRLF (\r\n), LF (\n), or null byte (\x00) characters that could indicate header injection attempts. Since the vulnerability allows injection of arbitrary HTTP headers via these characters, you can inspect outgoing HTTP requests for headers with such characters. For example, you can use network packet capture tools like tcpdump or Wireshark to capture HTTP traffic and filter for suspicious headers. A sample tcpdump command to capture HTTP traffic on port 80 could be: tcpdump -A -s 0 'tcp port 80' | grep -P '\r|\n|\x00' However, since these characters may be invisible or cause line breaks, you might need to use more advanced inspection or custom scripts to parse headers for injection patterns. Additionally, reviewing logs or using intrusion detection systems (IDS) that detect CRLF injection patterns in HTTP headers can help. Note that the vulnerability is specific to Gakido versions prior to 0.1.1, so verifying the version in use is also important. [2]

Mitigation Strategies

The immediate mitigation step is to upgrade Gakido to version 0.1.1 or later, where the vulnerability is fixed by the introduction of the _sanitize_header() function. This function removes CR (\r), LF (\n), and null byte (\x00) characters from both HTTP header names and values before sending requests, preventing header injection. If upgrading is not immediately possible, as a temporary measure, ensure that any user-supplied header values are sanitized to strip these characters before being passed to Gakido's HTTP request methods. Avoid using untrusted input directly in HTTP headers. Monitoring and blocking suspicious HTTP requests with injected headers can also help reduce risk until the patch is applied. [2, 3, 1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24489. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart