Gakido: When 'Performance First' Means 'Security Optional' (CVE-2026-24489)
Vulnerability ID: CVE-2026-24489
CVSS Score: 7.5
Published: 2026-01-26
A classic CRLF injection vulnerability in the Gakido HTTP client allows attackers to inject arbitrary HTTP headers or manipulate request bodies via unsanitized input.
TL;DR
Gakido, a 'performance-first' Python HTTP client, forgot that HTTP is a text protocol delimited by newlines. By injecting CRLF sequences (\r\n) into header values, attackers can break the protocol framing, leading to Request Smuggling or Header Injection. Patched in v0.1.1 by stripping control characters.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-113
- Attack Vector: Network
- CVSS: 7.5 (High)
- Impact: Request Smuggling / Header Injection
- Affected Component: gakido/headers.py
- Patch Commit: 369c67e67c63da510c8a9ab021e54a92ccf1f788
Affected Systems
- Python applications using Gakido < v0.1.1
- Microservices relying on Gakido for internal HTTP calls
-
Gakido: < 0.1.1 (Fixed in:
0.1.1)
Code Analysis
Commit: 369c67e
Fix CRLF injection by sanitizing headers
def _sanitize_header(name: str, value: str) -> tuple[str, str]:
+ clean_name = name.replace("\r", "").replace("\n", "").replace("\x00", "")
+ clean_value = value.replace("\r", "").replace("\n", "").replace("\x00", "")
+ return clean_name, clean_value
Exploit Details
- Research Analysis: Exploit is trivial to construct via any field controlled by user input that populates a header.
Mitigation Strategies
- Input Sanitization at the Application Layer
- WAF Rules detecting %0d and %0a in headers
- Dependency Updates
Remediation Steps:
- Update
gakidoto versionv0.1.1or higher immediately. - Audit your codebase for any instance where user input is passed directly to Gakido headers.
- Implement a strict 'reject' policy for control characters in your API gateway.
References
Read the full report for CVE-2026-24489 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)