waitress 2.1.1 vulnerabilities

Known vulnerabilities in the waitress package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
C Time-of-check Time-of-use (TOCTOU) Race Condition waitress is a production-quality pure-Python WSGI server with very acceptable performance. Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition in HTTP pipelining when handling an invalid initial request. An attacker can exploit this vulnerability to process unauthorized requests by sending a specially crafted sequence of requests where the first request is exactly `recv_bytes` long and followed by a secondary request using HTTP pipelining. How to fix Time-of-check Time-of-use (TOCTOU) Race Condition? Upgrade `waitress` to version 3.0.1 or higher.	[2.0.0,3.0.1)
H Missing Release of Resource after Effective Lifetime waitress is a production-quality pure-Python WSGI server with very acceptable performance. Affected versions of this package are vulnerable to Missing Release of Resource after Effective Lifetime due to the improper handling of socket connections when a remote client prematurely closes the connection, before `waitress` has had the opportunity to call `getpeername()`. An attacker can exhaust system resources and cause high CPU usage by repeatedly opening and closing connections, leading to a busy-loop in the server's socket handling. How to fix Missing Release of Resource after Effective Lifetime? Upgrade `waitress` to version 3.0.1 or higher.	[,3.0.1)
M Denial of Service (DoS) waitress is a production-quality pure-Python WSGI server with very acceptable performance. Affected versions of this package are vulnerable to Denial of Service (DoS) due to a race condition that may cause early termination when a thread closes a socket while the main thread is about to call `select()`. This will lead to the main thread raising an exception that is not handled, resulting in the entire application being killed. Note: Users using `waitress` behind a reverse proxy server are less likely to have issues if the reverse proxy always reads the full response. How to fix Denial of Service (DoS)? Upgrade `waitress` to version 2.1.2 or higher.	[2.1.0,2.1.2)

Vulnerability

Vulnerable Version

Time-of-check Time-of-use (TOCTOU) Race Condition

waitress is a production-quality pure-Python WSGI server with very acceptable performance.

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition in HTTP pipelining when handling an invalid initial request. An attacker can exploit this vulnerability to process unauthorized requests by sending a specially crafted sequence of requests where the first request is exactly recv_bytes long and followed by a secondary request using HTTP pipelining.

How to fix Time-of-check Time-of-use (TOCTOU) Race Condition?

Upgrade waitress to version 3.0.1 or higher.

[2.0.0,3.0.1)

Missing Release of Resource after Effective Lifetime

waitress is a production-quality pure-Python WSGI server with very acceptable performance.

Affected versions of this package are vulnerable to Missing Release of Resource after Effective Lifetime due to the improper handling of socket connections when a remote client prematurely closes the connection, before waitress has had the opportunity to call getpeername(). An attacker can exhaust system resources and cause high CPU usage by repeatedly opening and closing connections, leading to a busy-loop in the server's socket handling.

How to fix Missing Release of Resource after Effective Lifetime?

Upgrade waitress to version 3.0.1 or higher.

[,3.0.1)

Denial of Service (DoS)

waitress is a production-quality pure-Python WSGI server with very acceptable performance.

Affected versions of this package are vulnerable to Denial of Service (DoS) due to a race condition that may cause early termination when a thread closes a socket while the main thread is about to call select(). This will lead to the main thread raising an exception that is not handled, resulting in the entire application being killed.

Note: Users using waitress behind a reverse proxy server are less likely to have issues if the reverse proxy always reads the full response.

How to fix Denial of Service (DoS)?

Upgrade waitress to version 2.1.2 or higher.

[2.1.0,2.1.2)

waitress@2.1.1 vulnerabilities

Waitress WSGI server

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?