CVE-2026-24489

Name of the Vulnerable Software and Affected Versions Gakido versions prior to 0.1.1

Description Gakido, a Python HTTP client designed for browser impersonation and anti-bot evasion, contains a flaw that allows for HTTP header injection. This occurs due to the lack of proper sanitization of user-supplied header values and names, specifically allowing Carriage Return Line Feed (CRLF) sequences (r , , and x00) within these values. An attacker controlling header values passed to Gakido’s request methods, such as Client.get() and Client.post(), can inject arbitrary HTTP headers. This could lead to several potential consequences, including injecting malicious headers, manipulating responses in certain proxy configurations, cache poisoning, session fixation, and bypassing server-side security checks. The vulnerable code resides in the gakido/headers.py file within the canonicalize headers() function.

Recommendations Versions prior to 0.1.1 should be updated to version 0.1.1 or later. This update includes the sanitize header() function, which removes r, , and x00 characters from header names and values, preventing the injection of arbitrary HTTP headers.