CVE-2024-49769

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Waitress versions prior to 3.0.1

Description The issue is related to the getpeername() function in the Waitress WSGI server for Python. When a remote client closes the connection before Waitress has the opportunity to call getpeername(), it fails to correctly clean up the connection. This leads to the main thread attempting to write to a socket that no longer exists, resulting in a busy-loop calling the write function. A remote attacker could exploit this to run Waitress out of available sockets with minimal resources.

Recommendations For versions prior to 3.0.1, update to Waitress 3.0.1 to remove the race condition. As a temporary workaround, consider restricting access to the Waitress server to minimize the risk of exploitation.

Exploit

Fix

DoS

Missing Release of Resource after Effective Lifetime

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-772

Related Identifiers

AZL-51822

AZL-51831

BDU:2024-10887

CVE-2024-49769

DLA-3955-1

ECHO-283F-0619-628B

GHSA-3F84-RPWH-47G6

MGASA-2025-0053

OESA-2024-2374

OESA-2024-2375

OESA-2024-2376

OESA-2024-2377

OESA-2025-1436

OPENSUSE-SU-2024:14445-1

OPENSUSE-SU-2024_3876-1

OPENSUSE-SU-2024_4107-1

PYSEC-2024-211

RHSA-2024:10145

RHSA-2024:10535

RHSA-2024:10815

RHSA-2024:9613

RHSA-2024:9618

RHSA-2024:9623

RHSA-2025:0201

RHSA-2025:1191

RHSA-2025:1192

SUSE-SU-2024:3876-1

SUSE-SU-2024:4107-1

SUSE-SU-2024_4107-1

USN-7115-1

Affected Products

Astra Linux

Debian

Linuxmint

Red Os

Suse

Ubuntu

Waitress

CVE-2024-49769

Weakness Enumeration

Related Identifiers

Affected Products

References · 58