A critical vulnerability in Gakido, an HTTP client library by HappyHackingSpace, has been discovered that allows attackers to inject arbitrary HTTP headers through CRLF (Carriage Return Line Feed) sequences.
Tracked as CVE-2026-24489 under advisory RO-26-005, the vulnerability affects all versions before 0.1.1-1bc6019 and has a medium severity rating.
The flaw enables attackers to bypass server-side security controls, poison caches, and manipulate HTTP responses through crafted header injection attacks.
The vulnerability exists in Gakido’s header processing logic, specifically in the canonicalize_headers() function in gakido/headers.py.
When an application passes user-controlled header values containing CRLF sequences (rn), line feed characters (n), or null bytes (x00) to Gakido’s request methods, these characters are not properly sanitized before being transmitted in HTTP requests.
This insufficient input validation allows attackers to inject arbitrary HTTP headers into legitimate requests, fundamentally compromising the integrity of HTTP communications.
An attacker exploiting this vulnerability can execute multiple attack vectors with significant business impact.
By injecting malicious headers, an attacker can add unauthorized headers to requests, manipulate HTTP responses via header injection in proxy configurations, and poison intermediate caches by injecting cache-control-related headers.
Additionally, attackers can exploit session fixation by injecting session-related headers to bypass server-side security controls designed to protect resources.
The vulnerability proves particularly dangerous in scenarios where applications accept user input for HTTP headers without proper validation. The proof of concept demonstrates the simplicity of exploitation.
# Before fix: X-Injected header would be sent as a separate header
c = Client(impersonate="chrome_120")
r = c.get("https://httpbin.org/headers", headers={
"User-Agent": "testrnX-Injected: pwned"
})
By instantiating a Gakido client with impersonation enabled and passing a User-Agent header containing CRLF sequences followed by a malicious X-Injected header.
Attackers can successfully inject unauthorized headers into HTTP requests sent through the library.
Vulnerability Summary
The discovery was reported on January 25, 2026, and publicly disclosed on January 27, 2026, leaving the development team minimal time to prepare before public awareness.
The security team promptly released patch version 0.1.1-1bc6019, available through the project’s GitHub repository.
Users of Gakido must immediately upgrade to the patched version to mitigate the risk of header injection attacks.
According to Rosecurify advisory, organizations utilizing Gakido in production environments should prioritize this update, particularly those handling sensitive HTTP communications or applications that accept user-supplied header values.
The vulnerability underscores the critical importance of input sanitization in HTTP client libraries. It highlights why security researchers should exercise caution when working with external libraries handling network communication primitives.
Additional technical details and the complete fix implementation are available through the official GitHub advisory (GHSA-gcgx-chcp-hxp9) and the corresponding commit (369c67e) in the repository.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
