Listen to this Post
This vulnerability operates through improper validation of user-supplied input within HTTP header values and names. The Gakido client library failed to sanitize carriage return (\r), line feed (\n), and null byte (\x00) characters before constructing the raw HTTP request. When an attacker controls a header value, such as the User-Agent, and inserts a sequence like test\r\nX-Injected: pwned, the `\r\n` is interpreted as a line terminator by the underlying HTTP parser. This causes the subsequent text to be processed as a new, separate HTTP header. This primitive allows for the injection of arbitrary headers into the outbound request, which can be leveraged for attacks such as HTTP response splitting (if the output is reflected), cache poisoning, session fixation, or bypassing security controls on the server side by injecting misleading headers like X-Forwarded-For. The vulnerability was present in the `canonicalize_headers()` function within gakido/headers.py.
Platform: Gakido library
Version: Pre-fix versions
Vulnerability: HTTP Header Injection
Severity: Critical
date: Not specified
Prediction: Patch immediate release
What Undercode Say:
Testing for CRLF injection in headers
python3 -c "from gakido import Client; c=Client(); r=c.get('http://example.com', headers={'User-Agent':'test\r\nX-Injected:1'})"
Proof-of-Concept Code
from gakido import Client
c = Client(impersonate="chrome_120")
r = c.get("https://httpbin.org/headers", headers={
"User-Agent": "test\r\nX-Injected: pwned"
})
How Exploit:
Inject CRLF sequences (\r\n) into user-controlled HTTP header values or names to add malicious headers.
Protection from this CVE
Apply patch implementing `_sanitize_header()` to strip \r, \n, `\x00` from all header names/values.
Impact:
Arbitrary header injection, response splitting, cache poisoning, security control bypass.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

