CVE-2026-24489

Summary

Gakido is a Python HTTP client focused on browser impersonation and anti-bot evasion. A vulnerability was discovered in Gakido prior to version 0.1.1 that allowed HTTP header injection through CRLF (Carriage Return Line Feed) sequences in user-supplied header values and names. When making HTTP requests with user-controlled header values containing \r\n (CRLF), \n (LF), or \x00 (null byte) characters, an attacker could inject arbitrary HTTP headers into the request. The fix in version 0.1.1 adds a _sanitize_header() function that strips \r, \n, and \x00 characters from both header names and values before they are included in HTTP requests.

Affected Software

VendorProductVersion RangeStatus
HappyHackingSpacegakido< 0.1.1affected

Weaknesses

  • CWE-93: CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')
  • CWE-113: CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References