Summary: The Pylons Project has issued a security advisory for a critical vulnerability (CVE-2024-49768) in the Waitress WSGI server, which could allow unauthorized request processing due to a race condition. Users are urged to upgrade to version 3.0.1 to mitigate this risk, with a temporary workaround available for those unable to update immediately.
Threat Actor: TianGong Team of Legendsec at Qiโanxin Group | TianGong Team of Legendsec
Victim: Waitress WSGI server | Waitress WSGI server
Key Point :
- The vulnerability is caused by a request processing race condition during HTTP pipelining, affecting applications in production environments.
- A CVSS score of 9.1 highlights the severity of the issue, prompting immediate updates to version 3.0.1 for all users.
- Temporary mitigation involves disabling the channel_request_lookahead feature, although upgrading is the recommended solution.
The Pylons Project has released a crucial security advisory addressing a vulnerability in the Waitress WSGI server, tracked as CVE-2024-49768. This vulnerability, assigned a CVSS score of 9.1, represents a serious concern for applications using Waitress, especially in production environments where secure and stable performance is essential.
Waitress is a pure-Python WSGI server commonly used for production web applications. Known for its high performance and compatibility, it has become a go-to server solution for developers on both Unix and Windows platforms. Waitress is a production-quality pure-Python WSGI server with very acceptable performance. It has no dependencies except ones which live in the Python standard library. Given its versatility, Waitress supports multiple environments, including CPython and PyPy 3, and offers HTTP/1.0 and HTTP/1.1 support.
CVE-2024-49768 exposes a request processing race condition that manifests when handling HTTP pipelining. Specifically, a remote client may initiate this race condition by sending a request exactly equal to recv_bytes (default set to 8192 bytes) and then immediately following it with a second, pipelined request. In scenarios where request lookahead is enabled, the server might erroneously process this secondary request despite a failure in the first requestโs parsing.
The advisory elaborates on the nature of the vulnerability: โWhen request lookahead is disabled (default), we wonโt read any more requests, and when the first request fails due to a parsing error, we simply close the connection. However, when request lookahead is enabled, it is possible to process and receive the first request, start sending the error message back to the client while we read the next request and queue it.โ This error could allow a secondary request to bypass standard parsing checks and be handled by a worker thread, which should ideally terminate the connection.
The Pylons Project credits m4yfly and urn1ce from the TianGong Team of Legendsec at Qiโanxin Group for identifying and responsibly disclosing this vulnerability.
Waitress version 3.0.1 has been released to mitigate this vulnerability by correcting the underlying race condition, ensuring no secondary requests are inadvertently processed. The Pylons Project recommends all users immediately update to this version to secure their applications against potential exploits.
For those unable to apply the update immediately, the Pylons Project provides a temporary workaround by disabling channel_request_lookahead. As the advisory notes, โDisable channel_request_lookahead; this is set to 0 by default disabling this feature. For this vulnerability, this value is required to be changed from the default.โ Disabling lookahead entirely minimizes the risk, although upgrading remains the most effective protection.