Name of the Vulnerable Software and Affected Versions Waitress versions prior to 1.4.1

Description The issue allows an attacker to send an invalid request that bypasses the front-end server and is parsed differently by Waitress, leading to a potential for HTTP request smuggling. This occurs when a proxy server is used in front of Waitress and an attacker sends a request with a Content-Length header and a Transfer-Encoding header containing invalid characters, such as a vertical tab (x0b). The front-end server would use the Content-Length header, while Waitress would parse the request as chunked, potentially leading to HTTP request splitting, cache poisoning, or unexpected information disclosure.

Recommendations For Waitress versions prior to 1.4.1, upgrade to Waitress 1.4.1, which fixes the issue with stricter HTTP field validation. Additionally, consider enabling additional protections on front-end servers that follow RFC7230 correctly, which would drop the request with a 400 Bad Request.