Critical CRLF Injection Vulnerability in Gakido HTTP Client Library (CVE-2026-24489)
A critical vulnerability in Gakido, an HTTP client library developed by HappyHackingSpace, has been disclosed, allowing attackers to inject arbitrary HTTP headers via CRLF (Carriage Return Line Feed) sequences. Tracked as CVE-2026-24489 (advisory RO-26-005), the flaw affects all versions of Gakido prior to 0.1.1-1bc6019 and carries a medium severity rating.
The vulnerability stems from insufficient input validation in the canonicalize_headers() function within gakido/headers.py. When user-controlled header values containing CRLF sequences (\r\n), line feeds (\n), or null bytes (\x00) are passed to Gakido’s request methods, the library fails to sanitize them before transmission. This enables attackers to inject malicious headers into legitimate HTTP requests, compromising communication integrity.
Exploitation of this flaw can lead to multiple high-impact attack vectors, including:
- Unauthorized header injection in HTTP requests.
- HTTP response manipulation via proxy configurations.
- Cache poisoning through injected cache-control headers.
- Session fixation by bypassing server-side security controls.
A proof of concept demonstrates the simplicity of exploitation. By crafting a User-Agent header with embedded CRLF sequences (e.g., "test\r\nX-Injected: pwned"), attackers can inject arbitrary headers into requests sent through the library.
The vulnerability was reported on January 25, 2026, and publicly disclosed on January 27, 2026, prompting an immediate patch release (version 0.1.1-1bc6019). Organizations using Gakido in production environments particularly those handling sensitive HTTP communications or accepting user-supplied headers are urged to upgrade to the patched version to mitigate risks.
Technical details and the complete fix are available via the GitHub advisory (GHSA-gcgx-chcp-hxp9) and the corresponding commit (369c67e). The incident underscores the critical need for input sanitization in HTTP client libraries, especially those handling network primitives.
Source: https://cybersecuritynews.com/gakido-crlf-injection-vulnerability/
Happy Hacking Space cybersecurity rating report: https://www.rankiteo.com/company/happyhackingspace
"id": "HAP1770036164",
"linkid": "happyhackingspace",
"type": "Vulnerability",
"date": "1/2026",
"severity": "50",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': 'Organizations using Gakido in '
'production environments',
'industry': 'Software Development',
'name': 'HappyHackingSpace',
'type': 'Company'}],
'attack_vector': 'CRLF Injection',
'customer_advisories': 'Organizations handling sensitive HTTP communications '
'or accepting user-supplied headers are urged to '
'upgrade to the patched version.',
'date_detected': '2026-01-25',
'date_publicly_disclosed': '2026-01-27',
'description': 'A critical vulnerability in Gakido, an HTTP client library '
'developed by HappyHackingSpace, allows attackers to inject '
'arbitrary HTTP headers via CRLF (Carriage Return Line Feed) '
'sequences. The flaw affects all versions of Gakido prior to '
'0.1.1-1bc6019 and stems from insufficient input validation in '
'the `canonicalize_headers()` function within '
'`gakido/headers.py`. Exploitation can lead to unauthorized '
'header injection, HTTP response manipulation, cache '
'poisoning, and session fixation.',
'impact': {'operational_impact': 'Compromised communication integrity, '
'potential session fixation, cache poisoning',
'systems_affected': 'HTTP client library (Gakido)'},
'lessons_learned': 'Critical need for input sanitization in HTTP client '
'libraries, especially those handling network primitives.',
'post_incident_analysis': {'corrective_actions': 'Sanitize user-controlled '
'header values containing '
'CRLF sequences, line feeds, '
'or null bytes before '
'transmission.',
'root_causes': 'Insufficient input validation in '
'the `canonicalize_headers()` '
'function within '
'`gakido/headers.py`.'},
'recommendations': 'Organizations using Gakido should upgrade to the patched '
'version (0.1.1-1bc6019) immediately to mitigate risks.',
'references': [{'source': 'GitHub Advisory', 'url': 'GHSA-gcgx-chcp-hxp9'},
{'source': 'Commit Fix', 'url': '369c67e'}],
'response': {'communication_strategy': 'Public disclosure via GitHub advisory '
'(GHSA-gcgx-chcp-hxp9)',
'containment_measures': 'Patch released (version 0.1.1-1bc6019)',
'remediation_measures': 'Upgrade to patched version '
'(0.1.1-1bc6019)'},
'title': 'Critical CRLF Injection Vulnerability in Gakido HTTP Client Library '
'(CVE-2026-24489)',
'type': 'Vulnerability Exploitation',
'vulnerability_exploited': 'CVE-2026-24489'}