CVE-2026-24489
Gakido vulnerable to HTTP Header Injection (CRLF Injection)
描述
A vulnerability was discovered in Gakido that allowed HTTP Header Injection through CRLF (Carriage Return Line Feed) sequences in user-supplied header values and names. When making HTTP requests with user-controlled header values containing `\r\n` (CRLF), `\n` (LF), or `\x00` (null byte) characters, an attacker could inject arbitrary HTTP headers into the request. ## Impact An attacker who can control header values passed to Gakido's `Client.get()`, `Client.post()`, or other request methods could: 1. **Inject arbitrary HTTP headers** - Add malicious headers to requests 2. **HTTP Response Splitting** - Potentially manipulate responses in certain proxy configurations 3. **Cache Poisoning** - Inject headers that could poison intermediate caches 4. **Session Fixation** - Inject session-related headers 5. **Bypass Security Controls** - Inject headers that bypass server-side security checks ## Proof of Concept ```python from gakido import Client # Before fix: X-Injected header would be sent as a separate header c = Client(impersonate="chrome_120") r = c.get("https://httpbin.org/headers", headers={ "User-Agent": "test\r\nX-Injected: pwned" }) # The server would receive: # User-Agent: test # X-Injected: pwned ``` ## Affected Code The vulnerability existed in the header processing logic where user-supplied headers were not sanitized before being sent in HTTP requests. **File:** `gakido/headers.py` **Function:** `canonicalize_headers()` ## Fix The fix adds a `_sanitize_header()` function that strips `\r`, `\n`, and `\x00` characters from both header names and values before they are included in HTTP requests. ```python def _sanitize_header(name: str, value: str) -> tuple[str, str]: """ Sanitize header name and value to prevent HTTP header injection (CRLF injection). Strips CR, LF, and null bytes from both name and value. """ clean_name = name.replace("\r", "").replace("\n", "").replace("\x00", "") clean_value = value.replace("\r", "").replace("\n", "").replace("\x00", "") return clean_name, clean_value ```
如何修補 CVE-2026-24489
要修補 CVE-2026-24489,請將受影響套件升級到下列已修補版本。
- —升級至 0.1.1 或更新版本
CVE-2026-24489 正在被利用嗎?
低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。