Name of the Vulnerable Software and Affected Versions Waitress versions prior to 1.4.1

Description The issue allows an attacker to send specially crafted requests containing special whitespace characters in the Transfer-Encoding header, which could be parsed differently by Waitress and a front-end server. This discrepancy can lead to HTTP request splitting when a front-end server uses HTTP pipelining to a backend Waitress server, potentially resulting in cache poisoning or unexpected information disclosure.

Recommendations For versions prior to 1.4.1, update to Waitress version 1.4.1 or later, which includes more strict HTTP field validation to address this issue.