CVE-2026-24489

Gakido is a Python HTTP client focused on browser impersonation and anti-bot evasion. A vulnerability was discovered in Gakido prior to version 0.1.1 that allowed HTTP header injection through CRLF (Carriage Return Line Feed) sequences in user-supplied header values and names. When making HTTP requests with user-controlled header values containing `\r\n` (CRLF), `\n` (LF), or `\x00` (null byte) characters, an attacker could inject arbitrary HTTP headers into the request. The fix in version 0.1.1 adds a `_sanitize_header()` function that strips `\r`, `\n`, and `\x00` characters from both header names and values before they are included in HTTP requests.

Gakido is a Python HTTP client focused on browser impersonation and anti-bot evasion. A vulnerability was discovered in Gakido prior to version 0.1.1 that allowed HTTP header injection through CRLF (Carriage Return Line Feed) sequences in user-supplied header values and names. When making HTTP requests with user-controlled header values containing `\r\n` (CRLF), `\n` (LF), or `\x00` (null byte) characters, an attacker could inject arbitrary HTTP headers into the request. The fix in version 0.1.1 adds a `_sanitize_header()` function that strips `\r`, `\n`, and `\x00` characters from both header names and values before they are included in HTTP requests.

A vulnerability was discovered in Gakido that allowed HTTP Header Injection through CRLF (Carriage Return Line Feed) sequences in user-supplied header values and names. When making HTTP requests with user-controlled header values containing `\r\n` (CRLF), `\n` (LF), or `\x00` (null byte) characters, an attacker could inject arbitrary HTTP headers into the request. ## Impact An attacker who can control header values passed to Gakido's `Client.get()`, `Client.post()`, or other request methods could: 1. **Inject arbitrary HTTP headers** - Add malicious headers to requests 2. **HTTP Response Splitting** - Potentially manipulate responses in certain proxy configurations 3. **Cache Poisoning** - Inject headers that could poison intermediate caches 4. **Session Fixation** - Inject session-related headers 5. **Bypass Security Controls** - Inject headers that bypass server-side security checks ## Proof of Concept ```python from gakido import Client # Before fix: X-Injected header would be sent as a separate header c = Client(impersonate="chrome_120") r = c.get("https://httpbin.org/headers", headers={ "User-Agent": "test\r\nX-Injected: pwned" }) # The server would receive: # User-Agent: test # X-Injected: pwned ``` ## Affected Code The vulnerability existed in the header processing logic where user-supplied headers were not sanitized before being sent in HTTP requests. **File:** `gakido/headers.py` **Function:** `canonicalize_headers()` ## Fix The fix adds a `_sanitize_header()` function that strips `\r`, `\n`, and `\x00` characters from both header names and values before they are included in HTTP requests. ```python def _sanitize_header(name: str, value: str) -> tuple[str, str]: """ Sanitize header name and value to prevent HTTP header injection (CRLF injection). Strips CR, LF, and null bytes from both name and value. """ clean_name = name.replace("\r", "").replace("\n", "").replace("\x00", "") clean_value = value.replace("\r", "").replace("\n", "").replace("\x00", "") return clean_name, clean_value ```

A vulnerability was discovered in Gakido that allowed HTTP Header Injection through CRLF (Carriage Return Line Feed) sequences in user-supplied header values and names. When making HTTP requests with user-controlled header values containing `\r\n` (CRLF), `\n` (LF), or `\x00` (null byte) characters, an attacker could inject arbitrary HTTP headers into the request. ## Impact An attacker who can control header values passed to Gakido's `Client.get()`, `Client.post()`, or other request methods could: 1. **Inject arbitrary HTTP headers** - Add malicious headers to requests 2. **HTTP Response Splitting** - Potentially manipulate responses in certain proxy configurations 3. **Cache Poisoning** - Inject headers that could poison intermediate caches 4. **Session Fixation** - Inject session-related headers 5. **Bypass Security Controls** - Inject headers that bypass server-side security checks ## Proof of Concept ```python from gakido import Client # Before fix: X-Injected header would be sent as a separate header c = Client(impersonate="chrome_120") r = c.get("https://httpbin.org/headers", headers={ "User-Agent": "test\r\nX-Injected: pwned" }) # The server would receive: # User-Agent: test # X-Injected: pwned ``` ## Affected Code The vulnerability existed in the header processing logic where user-supplied headers were not sanitized before being sent in HTTP requests. **File:** `gakido/headers.py` **Function:** `canonicalize_headers()` ## Fix The fix adds a `_sanitize_header()` function that strips `\r`, `\n`, and `\x00` characters from both header names and values before they are included in HTTP requests. ```python def _sanitize_header(name: str, value: str) -> tuple[str, str]: """ Sanitize header name and value to prevent HTTP header injection (CRLF injection). Strips CR, LF, and null bytes from both name and value. """ clean_name = name.replace("\r", "").replace("\n", "").replace("\x00", "") clean_value = value.replace("\r", "").replace("\n", "").replace("\x00", "") return clean_name, clean_value ```

Gakido es un cliente HTTP de Python centrado en la suplantación de navegadores y la evasión de bots. Se descubrió una vulnerabilidad en Gakido anterior a la versión 0.1.1 que permitía la inyección de encabezados HTTP a través de secuencias CRLF (retorno de carro y salto de línea) en los valores y nombres de los encabezados proporcionados por el usuario. Al realizar solicitudes HTTP con valores de encabezado controlados por el usuario que contienen caracteres `\r\n` (CRLF), `\n` (LF) o `\x00` (byte nulo), un atacante podía inyectar encabezados HTTP arbitrarios en la solicitud. La corrección en la versión 0.1.1 añade una función `_sanitize_header()` que elimina los caracteres `\r`, `\n` y `\x00` tanto de los nombres como de los valores de los encabezados antes de que se incluyan en las solicitudes HTTP.