Overview #

A vulnerability was discovered in Gakido that allowed HTTP header injection through CRLF (Carriage Return Line Feed) sequences in user-supplied header values and names.

Vulnerability Details #

When making HTTP requests with user-controlled header values containing \r\n (CRLF), \n (LF), or \x00 (null byte) characters, an attacker could inject arbitrary HTTP headers into the request.

Affected Code: The vulnerability existed in the header processing logic where user-supplied headers were not sanitized before being sent in HTTP requests.

• File: gakido/headers.py
• Function: canonicalize_headers()

Impact #

An attacker who can control header values passed to Gakido's Client.get(), Client.post(), or other request methods could:

• Inject arbitrary HTTP headers - Add malicious headers to requests
• HTTP Response Splitting - Potentially manipulate responses in certain proxy configurations
• Cache Poisoning - Inject headers that could poison intermediate caches
• Session Fixation - Inject session-related headers
• Bypass Security Controls - Inject headers that bypass server-side security checks

Proof of Concept #

from gakido import Client

# Before fix: X-Injected header would be sent as a separate header
c = Client(impersonate="chrome_120")
r = c.get("https://httpbin.org/headers", headers={
    "User-Agent": "test\r\nX-Injected: pwned"
})

References #

• GHSA-gcgx-chcp-hxp9
• Fix Commit (369c67e)
• Release v0.1.1-1bc6019