{"id":"GHSA-g2xc-35jw-c63p","summary":"HTTP Request Smuggling: Invalid Transfer-Encoding in Waitress","details":"### Impact\n\nWaitress would parse the `Transfer-Encoding` header and only look for a single string value, if that value was not `chunked` it would fall through and use the `Content-Length` header instead.\n\nAccording to the HTTP standard `Transfer-Encoding` should be a comma separated list, with the inner-most encoding first, followed by any further transfer codings, ending with `chunked`.\n\nRequests sent with:\n\n```\nTransfer-Encoding: gzip, chunked\n```\n\nWould incorrectly get ignored, and the request would use a `Content-Length` header instead to determine the body size of the HTTP message.\n\nThis could allow for Waitress to treat a single request as multiple requests in the case of HTTP pipelining.\n\n### Patches\n\nThis issue is fixed in Waitress 1.4.0. This brings a range of changes to harden Waitress against potential HTTP request confusions, and may change the behaviour of Waitress behind non-conformist proxies. \n\nWaitress will now return a 501 Not Implemented error if the `Transfer-Encoding` is not `chunked` or contains multiple elements. Waitress does not support any transfer codings such as `gzip` or `deflate`.\n\nThe Pylons Project recommends upgrading as soon as possible, while validating that the changes in Waitress don't cause any changes in behavior.\n\n### Workarounds\n\nVarious reverse proxies may have protections against sending potentially bad HTTP requests to the backend, and or hardening against potential issues like this. If the reverse proxy doesn't use HTTP/1.1 for connecting to the backend issues are also somewhat mitigated, as HTTP pipelining does not exist in HTTP/1.0 and Waitress will close the connection after every single request (unless the Keep Alive header is explicitly sent... so this is not a fool proof security method).\n\n### Issues/more security issues:\n\n* open an issue at https://github.com/Pylons/waitress/issues (if not sensitive or security related)\n* email the Pylons Security mailing list: pylons-project-security@googlegroups.com (if security related)","aliases":["CVE-2019-16786","PYSEC-2019-137"],"modified":"2026-03-13T22:14:16.440275Z","published":"2019-12-20T23:04:18Z","related":["CVE-2019-16786"],"database_specific":{"severity":"MODERATE","cwe_ids":["CWE-444"],"github_reviewed_at":"2019-12-20T23:01:53Z","nvd_published_at":"2019-12-20T23:15:00Z","github_reviewed":true},"references":[{"type":"WEB","url":"https://github.com/Pylons/waitress/security/advisories/GHSA-g2xc-35jw-c63p"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-16786"},{"type":"WEB","url":"https://github.com/Pylons/waitress/commit/f11093a6b3240fc26830b6111e826128af7771c3"},{"type":"WEB","url":"https://access.redhat.com/errata/RHSA-2020:0720"},{"type":"WEB","url":"https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixes"},{"type":"PACKAGE","url":"https://github.com/Pylons/waitress"},{"type":"WEB","url":"https://github.com/pypa/advisory-database/tree/main/vulns/waitress/PYSEC-2019-137.yaml"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2022/05/msg00011.html"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GVDHR2DNKCNQ7YQXISJ45NT4IQDX3LJ7"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYEOTGWJZVKPRXX2HBNVIYWCX73QYPM5"},{"type":"WEB","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"}],"affected":[{"package":{"name":"waitress","ecosystem":"PyPI","purl":"pkg:pypi/waitress"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.4.0"}]}],"versions":["0.1","0.2","0.3","0.4","0.5","0.6","0.6.1","0.7","0.8","0.8.1","0.8.10","0.8.11b0","0.8.2","0.8.3","0.8.4","0.8.5","0.8.6","0.8.7","0.8.8","0.8.9","0.9.0","0.9.0b0","0.9.0b1","1.0.0","1.0.1","1.0.2","1.0a1","1.0a2","1.1.0","1.2.0","1.2.0b1","1.2.0b2","1.2.0b3","1.2.1","1.3.0","1.3.0b0","1.3.1"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-g2xc-35jw-c63p/GHSA-g2xc-35jw-c63p.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"},{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"}]}