CVE-2019-16785

Name of the Vulnerable Software and Affected Versions Waitress versions 1.3.1 and earlier

Description The issue arises from Waitress implementing a "MAY" part of the RFC7230, which allows recognizing a single LF as a line terminator and ignoring any preceding CR. This can lead to a potential for HTTP request smuggling/splitting if a front-end server does not parse header fields with an LF the same way as it does those with a CRLF. As a result, Waitress may see two requests while the front-end server only sees a single HTTP message. For example, a request with a Content-Length header followed by an X-Header with an LF and then another Content-Length header can be treated by Waitress as two separate requests.

Recommendations For Waitress versions 1.3.1 and earlier, upgrade to Waitress 1.4.0 to fix the issue. In Waitress 1.4.0, the implementation of the "MAY" part of the specification has been changed to require all lines to be terminated correctly with CRLF, and any lines found with a bare CR or LF will result in a 400 Bad Request being sent back to the requesting entity. As a temporary workaround, consider using a reverse proxy with protections against sending potentially bad HTTP requests to the backend, or hardening against potential issues like this. Additionally, using HTTP/1.0 instead of HTTP/1.1 for connecting to the backend may somewhat mitigate the issue, as HTTP pipelining does not exist in HTTP/1.0 and Waitress will close the connection after every single request.