Description
Gakido is a Python HTTP client focused on browser impersonation and anti-bot evasion. A vulnerability was discovered in Gakido prior to version 0.1.1 that allowed HTTP header injection through CRLF (Carriage Return Line Feed) sequences in user-supplied header values and names. When making HTTP requests with user-controlled header values containing `\r\n` (CRLF), `\n` (LF), or `\x00` (null byte) characters, an attacker could inject arbitrary HTTP headers into the request. The fix in version 0.1.1 adds a `_sanitize_header()` function that strips `\r`, `\n`, and `\x00` characters from both header names and values before they are included in HTTP requests.
Published: 2026-01-27
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Header injection via CRLF may allow an attacker to inject arbitrary HTTP headers into requests, potentially altering request integrity and downstream processing
Action: Patch
AI Analysis

Impact

A flaw in Gakido before version 0.1.1 permits the injection of arbitrary HTTP headers when user‑supplied header names or values contain CRLF, LF, or null bytes. The client builds raw HTTP requests, so a crafted header can be inserted and sent to the target server, altering the semantics of the request or enabling header‑based attacks such as request smuggling or bypassing security checks performed downstream.

Affected Systems

HappyHackingSpace’s Gakido HTTP client is affected in all releases prior to v0.1.1. The issue was fixed in the 0.1.1 release and later versions.

Risk and Exploitability

The CVSS score of 5.3 indicates medium severity. The EPSS score is below 1%, signifying a low probability of exploitation at the time of analysis. The vulnerability is not listed in the KEV catalog. Based on the description, it is inferred that the primary attack vector involves an application supplying user‑controlled header names or values to Gakido. The injected headers can modify request flow but there is no evidence of code‑execution or higher‑level compromise. Overall, the risk is limited to integrity impacts of the HTTP requests.

Generated by OpenCVE AI on April 18, 2026 at 14:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gakido to version 0.1.1 or later to apply the built‑in header sanitization
  • If upgrading is not immediately feasible, validate and strip CRLF, LF, or null byte characters from all header names and values before passing them to Gakido
  • Review any code that constructs or manipulates headers for Gakido usage to enforce strict validation and prevent injection attempts

Generated by OpenCVE AI on April 18, 2026 at 14:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gcgx-chcp-hxp9 Gakido vulnerable to HTTP Header Injection (CRLF Injection)
History

Tue, 27 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Happyhackingspace
Happyhackingspace gakido
Vendors & Products Happyhackingspace
Happyhackingspace gakido

Tue, 27 Jan 2026 01:00:00 +0000

Type Values Removed Values Added
Description Gakido is a Python HTTP client focused on browser impersonation and anti-bot evasion. A vulnerability was discovered in Gakido prior to version 0.1.1 that allowed HTTP header injection through CRLF (Carriage Return Line Feed) sequences in user-supplied header values and names. When making HTTP requests with user-controlled header values containing `\r\n` (CRLF), `\n` (LF), or `\x00` (null byte) characters, an attacker could inject arbitrary HTTP headers into the request. The fix in version 0.1.1 adds a `_sanitize_header()` function that strips `\r`, `\n`, and `\x00` characters from both header names and values before they are included in HTTP requests.
Title Gakido vulnerable to HTTP Header Injection (CRLF Injection)
Weaknesses CWE-113
CWE-93
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Happyhackingspace Gakido
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-27T14:46:42.530Z

Reserved: 2026-01-23T00:38:20.548Z

Link: CVE-2026-24489

cve-icon Vulnrichment

Updated: 2026-01-27T14:46:37.086Z

cve-icon NVD

Status : Deferred

Published: 2026-01-27T01:16:02.453

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24489

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:00:03Z

Weaknesses