CVE-2026-24489
CRLF Injection in Gakido HTTP Client Allows Header Manipulation
Publication date: 2026-01-27
Last updated on: 2026-01-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| happyhackingspace | gakido | to 0.1.1 (exc) |
| happyhackingspace | gakido | 0.1.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-113 | The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers. |
| CWE-93 | The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-24489 is a vulnerability in the Gakido Python HTTP client where an attacker can inject arbitrary HTTP headers into requests by including special characters like CRLF (\r\n), LF (\n), or null bytes (\x00) in user-supplied header names or values. This happens because the library did not sanitize these characters before sending headers, allowing HTTP header injection and response splitting attacks. The issue was fixed by adding a sanitization function that removes these characters from headers before sending. [2, 3]
How can this vulnerability impact me? :
This vulnerability can allow attackers to inject arbitrary HTTP headers, leading to several impacts including HTTP response splitting, cache poisoning, session fixation, and bypassing server-side security controls. These impacts can manipulate how HTTP responses are processed by clients or intermediaries, potentially compromising the integrity of communications and security mechanisms. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring HTTP requests made by the Gakido client for suspicious header values containing CRLF (\r\n), LF (\n), or null byte (\x00) characters that could indicate header injection attempts. Since the vulnerability allows injection of arbitrary HTTP headers via these characters, you can inspect outgoing HTTP requests for headers with such characters. For example, you can use network packet capture tools like tcpdump or Wireshark to capture HTTP traffic and filter for suspicious headers. A sample tcpdump command to capture HTTP traffic on port 80 could be: tcpdump -A -s 0 'tcp port 80' | grep -P '\r|\n|\x00' However, since these characters may be invisible or cause line breaks, you might need to use more advanced inspection or custom scripts to parse headers for injection patterns. Additionally, reviewing logs or using intrusion detection systems (IDS) that detect CRLF injection patterns in HTTP headers can help. Note that the vulnerability is specific to Gakido versions prior to 0.1.1, so verifying the version in use is also important. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Gakido to version 0.1.1 or later, where the vulnerability is fixed by the introduction of the _sanitize_header() function. This function removes CR (\r), LF (\n), and null byte (\x00) characters from both HTTP header names and values before sending requests, preventing header injection. If upgrading is not immediately possible, as a temporary measure, ensure that any user-supplied header values are sanitized to strip these characters before being passed to Gakido's HTTP request methods. Avoid using untrusted input directly in HTTP headers. Monitoring and blocking suspicious HTTP requests with injected headers can also help reduce risk until the patch is applied. [2, 3, 1]