Name of the Vulnerable Software and Affected Versions Waitress versions prior to 1.4.0

Description The issue arises from the incorrect parsing of the Transfer-Encoding header, which should be a comma-separated list with the inner-most encoding first, followed by any further transfer codings, ending with chunked. When a request is sent with a header like "Transfer-Encoding: gzip, chunked", it would be ignored, and the request would use the Content-Length header instead to determine the body size of the HTTP message. This could allow Waitress to treat a single request as multiple requests in the case of HTTP pipelining.

Recommendations For versions prior to 1.4.0, update to Waitress 1.4.0 to resolve the issue.