Waitress through version 1.3.1 allows request smuggling by sending the Content-Length header twice. Waitress would header fold a double Content-Length header and due to being unable to cast the now comma separated value to an integer would set the Content-Length to 0 internally. If two Content-Length headers are sent in a single request, Waitress would treat the request as having no body, thereby treating the body of the request as a new request in HTTP pipelining. This issue is fixed in Waitress 1.4.0.
{ "nvd_published_at": "2020-01-22T19:15:00Z", "github_reviewed_at": "2022-06-27T16:10:41Z", "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-444" ] }