CVE-2024-49768

CVSS v2.0

9.4

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:N

Name of the Vulnerable Software and Affected Versions: Waitress versions prior to 3.0.1

Description: The issue is related to a race condition in the Waitress WSGI server for Python, which can be exploited by a remote client sending a request that is exactly recv bytes (defaults to 8192) long, followed by a secondary request using HTTP pipelining. When request lookahead is enabled, it is possible to process and receive the first request, start sending the error message back to the client while reading the next request and queueing it. This allows the secondary request to be serviced by the worker thread while the connection should be closed.

Recommendations: For versions prior to 3.0.1, update to Waitress 3.0.1 to fix the race condition. As a temporary workaround, disable channel request lookahead, which is set to 0 by default, disabling this feature.

Exploit

Fix

HTTP Request/Response Smuggling

Time Of Check To Time Of Use

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-444CWE-367

Related Identifiers

AZL-57396

BDU:2024-10889

CVE-2024-49768

ECHO-B844-FA43-FD25

GHSA-9298-4CF8-G4WJ

MGASA-2025-0053

OESA-2024-2333

OESA-2024-2334

OESA-2024-2335

OESA-2024-2336

OPENSUSE-SU-2024_3876-1

PYSEC-2024-210

RHSA-2024:10145

RHSA-2024:10535

RHSA-2024:10815

RHSA-2024:9613

RHSA-2024:9618

RHSA-2024:9623

RHSA-2025:0201

RHSA-2025:1191

RHSA-2025:1192

SUSE-SU-2024:3876-1

SUSE-SU-2024_3876-1

USN-7115-1

Affected Products

Astra Linux

Debian

Linuxmint

Suse

Ubuntu

Waitress

CVE-2024-49768

Weakness Enumeration

Related Identifiers

Affected Products

References · 53