{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24489", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-23T00:38:20.548Z", "datePublished": "2026-01-27T00:36:34.230Z", "dateUpdated": "2026-01-27T14:46:42.530Z"}, "containers": {"cna": {"title": "Gakido vulnerable to HTTP Header Injection (CRLF Injection)", "problemTypes": [{"descriptions": [{"cweId": "CWE-93", "lang": "en", "description": "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-113", "lang": "en", "description": "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/HappyHackingSpace/gakido/security/advisories/GHSA-gcgx-chcp-hxp9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/HappyHackingSpace/gakido/security/advisories/GHSA-gcgx-chcp-hxp9"}, {"name": "https://github.com/HappyHackingSpace/gakido/commit/369c67e67c63da510c8a9ab021e54a92ccf1f788", "tags": ["x_refsource_MISC"], "url": "https://github.com/HappyHackingSpace/gakido/commit/369c67e67c63da510c8a9ab021e54a92ccf1f788"}, {"name": "https://github.com/HappyHackingSpace/gakido/releases/tag/v0.1.1-1bc6019", "tags": ["x_refsource_MISC"], "url": "https://github.com/HappyHackingSpace/gakido/releases/tag/v0.1.1-1bc6019"}], "affected": [{"vendor": "HappyHackingSpace", "product": "gakido", "versions": [{"version": "< 0.1.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-27T00:36:34.230Z"}, "descriptions": [{"lang": "en", "value": "Gakido is a Python HTTP client focused on browser impersonation and anti-bot evasion. A vulnerability was discovered in Gakido prior to version 0.1.1 that allowed HTTP header injection through CRLF (Carriage Return Line Feed) sequences in user-supplied header values and names. When making HTTP requests with user-controlled header values containing `\\r\\n` (CRLF), `\\n` (LF), or `\\x00` (null byte) characters, an attacker could inject arbitrary HTTP headers into the request. The fix in version 0.1.1 adds a `_sanitize_header()` function that strips `\\r`, `\\n`, and `\\x00` characters from both header names and values before they are included in HTTP requests."}], "source": {"advisory": "GHSA-gcgx-chcp-hxp9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-27T14:46:28.507941Z", "id": "CVE-2026-24489", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T14:46:42.530Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24489", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-27T14:46:28.507941Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T14:46:37.086Z"}}], "cna": {"title": "Gakido vulnerable to HTTP Header Injection (CRLF Injection)", "source": {"advisory": "GHSA-gcgx-chcp-hxp9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "HappyHackingSpace", "product": "gakido", "versions": [{"status": "affected", "version": "< 0.1.1"}]}], "references": [{"url": "https://github.com/HappyHackingSpace/gakido/security/advisories/GHSA-gcgx-chcp-hxp9", "name": "https://github.com/HappyHackingSpace/gakido/security/advisories/GHSA-gcgx-chcp-hxp9", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/HappyHackingSpace/gakido/commit/369c67e67c63da510c8a9ab021e54a92ccf1f788", "name": "https://github.com/HappyHackingSpace/gakido/commit/369c67e67c63da510c8a9ab021e54a92ccf1f788", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/HappyHackingSpace/gakido/releases/tag/v0.1.1-1bc6019", "name": "https://github.com/HappyHackingSpace/gakido/releases/tag/v0.1.1-1bc6019", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Gakido is a Python HTTP client focused on browser impersonation and anti-bot evasion. A vulnerability was discovered in Gakido prior to version 0.1.1 that allowed HTTP header injection through CRLF (Carriage Return Line Feed) sequences in user-supplied header values and names. When making HTTP requests with user-controlled header values containing `\\r\\n` (CRLF), `\\n` (LF), or `\\x00` (null byte) characters, an attacker could inject arbitrary HTTP headers into the request. The fix in version 0.1.1 adds a `_sanitize_header()` function that strips `\\r`, `\\n`, and `\\x00` characters from both header names and values before they are included in HTTP requests."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-93", "description": "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-113", "description": "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-27T00:36:34.230Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24489", "state": "PUBLISHED", "dateUpdated": "2026-01-27T14:46:42.530Z", "dateReserved": "2026-01-23T00:38:20.548Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-27T00:36:34.230Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Gakido is a Python HTTP client focused on browser impersonation and anti-bot evasion. A vulnerability was discovered in Gakido prior to version 0.1.1 that allowed HTTP header injection through CRLF (Carriage Return Line Feed) sequences in user-supplied header values and names. When making HTTP requests with user-controlled header values containing `\\r\\n` (CRLF), `\\n` (LF), or `\\x00` (null byte) characters, an attacker could inject arbitrary HTTP headers into the request. The fix in version 0.1.1 adds a `_sanitize_header()` function that strips `\\r`, `\\n`, and `\\x00` characters from both header names and values before they are included in HTTP requests."}, {"lang": "es", "value": "Gakido es un cliente HTTP de Python centrado en la suplantaci\u00f3n de navegadores y la evasi\u00f3n de bots. Se descubri\u00f3 una vulnerabilidad en Gakido anterior a la versi\u00f3n 0.1.1 que permit\u00eda la inyecci\u00f3n de encabezados HTTP a trav\u00e9s de secuencias CRLF (retorno de carro y salto de l\u00ednea) en los valores y nombres de los encabezados proporcionados por el usuario. Al realizar solicitudes HTTP con valores de encabezado controlados por el usuario que contienen caracteres `\\r\\n` (CRLF), `\\n` (LF) o `\\x00` (byte nulo), un atacante pod\u00eda inyectar encabezados HTTP arbitrarios en la solicitud. La correcci\u00f3n en la versi\u00f3n 0.1.1 a\u00f1ade una funci\u00f3n `_sanitize_header()` que elimina los caracteres `\\r`, `\\n` y `\\x00` tanto de los nombres como de los valores de los encabezados antes de que se incluyan en las solicitudes HTTP."}], "id": "CVE-2026-24489", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-27T01:16:02.453", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/HappyHackingSpace/gakido/commit/369c67e67c63da510c8a9ab021e54a92ccf1f788"}, {"source": "security-advisories@github.com", "url": "https://github.com/HappyHackingSpace/gakido/releases/tag/v0.1.1-1bc6019"}, {"source": "security-advisories@github.com", "url": "https://github.com/HappyHackingSpace/gakido/security/advisories/GHSA-gcgx-chcp-hxp9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-93"}, {"lang": "en", "value": "CWE-113"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T14:57:51.782232+00:00", "value": {"mitigation_remediation": ["Upgrade Gakido to version 0.1.1 or later to apply the built\u2011in header sanitization", "If upgrading is not immediately feasible, validate and strip CRLF, LF, or null byte characters from all header names and values before passing them to Gakido", "Review any code that constructs or manipulates headers for Gakido usage to enforce strict validation and prevent injection attempts"], "summary": {"action": "Patch", "impact": "Header injection via CRLF may allow an attacker to inject arbitrary HTTP headers into requests, potentially altering request integrity and downstream processing"}, "threat_synthesis": {"affected_systems": "HappyHackingSpace\u2019s Gakido HTTP client is affected in all releases prior to v0.1.1. The issue was fixed in the 0.1.1 release and later versions.", "description_and_impact": "A flaw in Gakido before version 0.1.1 permits the injection of arbitrary HTTP headers when user\u2011supplied header names or values contain CRLF, LF, or null bytes. The client builds raw HTTP requests, so a crafted header can be inserted and sent to the target server, altering the semantics of the request or enabling header\u2011based attacks such as request smuggling or bypassing security checks performed downstream.", "risk_and_exploitability": "The CVSS score of 5.3 indicates medium severity. The EPSS score is below 1%, signifying a low probability of exploitation at the time of analysis. The vulnerability is not listed in the KEV catalog. Based on the description, it is inferred that the primary attack vector involves an application supplying user\u2011controlled header names or values to Gakido. The injected headers can modify request flow but there is no evidence of code\u2011execution or higher\u2011level compromise. Overall, the risk is limited to integrity impacts of the HTTP requests."}}}}, "created": "2026-01-27T09:03:03.121089+00:00", "updated": "2026-04-18T15:00:03.453505+00:00", "vendors": ["happyhackingspace", "happyhackingspace$PRODUCT$gakido"]}