Name of the Vulnerable Software and Affected Versions Waitress versions 1.3.1 and earlier

Description The issue arises from the implementation of a part of the RFC7230 in Waitress, where it recognizes a single LF as a line terminator and ignores any preceding CR. This can cause a discrepancy in how the front-end and back-end servers parse HTTP messages, potentially leading to HTTP request smuggling or splitting. This discrepancy occurs when the front-end server does not parse header fields with an LF in the same way as it does those with a CRLF.

Recommendations For Waitress versions 1.3.1 and earlier, update to version 1.4.0 to resolve the issue.