Critical Vulnerability in Waitress WSGI Server: CVE-2024-49768 – What You Need to Know
The Pylons Project has released a crucial security advisory addressing a vulnerability in the Waitress WSGI server, tracked as CVE-2024-49768. This vulnerability, assigned a CVSS score of 9.1, represents a serious concern for applications using Waitress, especially in production environments where secure and stable performance is essential.
Waitress is a pure-Python WSGI server commonly used for production web applications. Known for its high performance and compatibility, it has become a go-to server solution for developers on both Unix and Windows platforms. Waitress is a production-quality pure-Python WSGI server with very acceptable performance. It has no dependencies except ones which live in the Python standard library. Given its versatility, Waitress supports multiple environments, including CPython and PyPy 3, and offers HTTP/1.0 and HTTP/1.1 support.
CVE-2024-49768 exposes a request processing race condition that manifests when handling HTTP pipelining. Specifically, a remote client may initiate this race condition by sending a request exactly equal to recv_bytes (default set to 8192 bytes) and then immediately following it with a second, pipelined request. In scenarios where request lookahead is enabled, the server might erroneously process this secondary request despite a failure in the first request’s parsing.
The advisory elaborates on the nature of the vulnerability: “When request lookahead is disabled (default), we won’t read any more requests, and when the first request fails due to a parsing error, we simply close the connection. However, when request lookahead is enabled, it is possible to process and receive the first request, start sending the error message back to the client while we read the next request and queue it.” This error could allow a secondary request to bypass standard parsing checks and be handled by a worker thread, which should ideally terminate the connection.
The Pylons Project credits m4yfly and urn1ce from the TianGong Team of Legendsec at Qi’anxin Group for identifying and responsibly disclosing this vulnerability.
Waitress version 3.0.1 has been released to mitigate this vulnerability by correcting the underlying race condition, ensuring no secondary requests are inadvertently processed. The Pylons Project recommends all users immediately update to this version to secure their applications against potential exploits.
For those unable to apply the update immediately, the Pylons Project provides a temporary workaround by disabling channel_request_lookahead. As the advisory notes, “Disable channel_request_lookahead; this is set to 0 by default disabling this feature. For this vulnerability, this value is required to be changed from the default.” Disabling lookahead entirely minimizes the risk, although upgrading remains the most effective protection.
