CVE-2019-16786

Name of the Vulnerable Software and Affected Versions Waitress versions prior to 1.4.0

Description The issue is related to the incorrect parsing of the Transfer-Encoding header in Waitress. According to the HTTP standard, Transfer-Encoding should be a comma-separated list with the inner-most encoding first, followed by any further transfer codings, ending with chunked. However, Waitress would only look for a single string value, and if that value was not chunked, it would fall through and use the Content-Length header instead. This could allow Waitress to treat a single request as multiple requests in the case of HTTP pipelining.

Recommendations For versions prior to 1.4.0, upgrade to Waitress 1.4.0 to fix the issue. As a temporary workaround, consider using a reverse proxy with protections against sending potentially bad HTTP requests to the backend. Additionally, using HTTP/1.0 instead of HTTP/1.1 for connecting to the backend may mitigate the issue, as HTTP pipelining does not exist in HTTP/1.0.