Name of the Vulnerable Software and Affected Versions Waitress versions prior to 1.4.0

Description The issue allows request smuggling by sending the Content-Length header twice. When a double Content-Length header is sent, it gets header folded into a comma-separated value, which cannot be cast to an integer, resulting in the Content-Length being set to 0 internally. This causes the request body to be treated as a new request in HTTP pipelining.

Recommendations For versions prior to 1.4.0, update to Waitress 1.4.0 to resolve the issue.