Publish GHSA-gcgx-chcp-hxp9

Author: advisory-database[bot]

advisories/github-reviewed/2026/01/GHSA-gcgx-chcp-hxp9/GHSA-gcgx-chcp-hxp9.json

@@ -0,0 +1,66 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-gcgx-chcp-hxp9",
+  "modified": "2026-01-26T23:29:57Z",
+  "published": "2026-01-26T23:29:57Z",
+  "aliases": [
+    "CVE-2026-24489"
+  ],
+  "summary": "Gakido vulnerable to HTTP Header Injection (CRLF Injection) ",
+  "details": "A vulnerability was discovered in Gakido that allowed HTTP Header Injection through CRLF (Carriage Return Line Feed) sequences in user-supplied header values and names.\n\nWhen making HTTP requests with user-controlled header values containing `\\r\\n` (CRLF), `\\n` (LF), or `\\x00` (null byte) characters, an attacker could inject arbitrary HTTP headers into the request.\n\n## Impact\n\nAn attacker who can control header values passed to Gakido's `Client.get()`, `Client.post()`, or other request methods could:\n\n1. **Inject arbitrary HTTP headers** - Add malicious headers to requests\n2. **HTTP Response Splitting** - Potentially manipulate responses in certain proxy configurations\n3. **Cache Poisoning** - Inject headers that could poison intermediate caches\n4. **Session Fixation** - Inject session-related headers\n5. **Bypass Security Controls** - Inject headers that bypass server-side security checks\n\n## Proof of Concept\n\n```python\nfrom gakido import Client\n\n# Before fix: X-Injected header would be sent as a separate header\nc = Client(impersonate=\"chrome_120\")\nr = c.get(\"https://httpbin.org/headers\", headers={\n    \"User-Agent\": \"test\\r\\nX-Injected: pwned\"\n})\n\n# The server would receive:\n# User-Agent: test\n# X-Injected: pwned\n```\n\n## Affected Code\n\nThe vulnerability existed in the header processing logic where user-supplied headers were not sanitized before being sent in HTTP requests.\n\n**File:** `gakido/headers.py`  \n**Function:** `canonicalize_headers()`\n\n## Fix\n\nThe fix adds a `_sanitize_header()` function that strips `\\r`, `\\n`, and `\\x00` characters from both header names and values before they are included in HTTP requests.\n\n```python\ndef _sanitize_header(name: str, value: str) -> tuple[str, str]:\n    \"\"\"\n    Sanitize header name and value to prevent HTTP header injection (CRLF injection).\n    Strips CR, LF, and null bytes from both name and value.\n    \"\"\"\n    clean_name = name.replace(\"\\r\", \"\").replace(\"\\n\", \"\").replace(\"\\x00\", \"\")\n    clean_value = value.replace(\"\\r\", \"\").replace(\"\\n\", \"\").replace(\"\\x00\", \"\")\n    return clean_name, clean_value\n```",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "gakido"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.1.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/HappyHackingSpace/gakido/security/advisories/GHSA-gcgx-chcp-hxp9"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/HappyHackingSpace/gakido/commit/369c67e67c63da510c8a9ab021e54a92ccf1f788"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/HappyHackingSpace/gakido"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/HappyHackingSpace/gakido/releases/tag/v0.1.1-1bc6019"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-113",
+      "CWE-93"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-26T23:29:57Z",
+    "nvd_published_at": null
+  }
+}