CVE-2024-49768 – A race condition in Waitress web server allows ... (How to Fix)

📋 TL;DR

A race condition in Waitress web server allows HTTP pipelining attacks when request lookahead is enabled. Remote attackers can bypass connection closure after parsing errors to process unauthorized secondary requests. This affects Python applications using Waitress with request lookahead enabled.

💻 Affected Systems

Products:

Waitress

Versions: All versions before 3.0.1

Operating Systems: All platforms running Python

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when channel_request_lookahead is explicitly enabled (disabled by default).

📦 What is this software?

Waitress by Agendaless

View all CVEs affecting Waitress →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could bypass security controls to execute unauthorized requests, potentially leading to data exposure, privilege escalation, or server compromise.

🟠

Likely Case

Unauthorized request processing allowing data access or manipulation, though limited to what the worker thread can process.

🟢

If Mitigated

With request lookahead disabled (default), the vulnerability is not exploitable as connections close properly on parsing errors.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Requires HTTP pipelining and specific timing conditions when request lookahead is enabled.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Waitress 3.0.1

Vendor Advisory: https://github.com/Pylons/waitress/security/advisories/GHSA-9298-4cf8-g4wj

Restart Required: Yes

Instructions:

1. Upgrade Waitress to version 3.0.1 or later using pip: pip install --upgrade waitress>=3.0.1
2. Restart all Waitress services
3. Verify the new version is running

🔧 Temporary Workarounds

Disable request lookahead

all

Set channel_request_lookahead to 0 to disable the vulnerable feature

In Waitress configuration, ensure channel_request_lookahead = 0

🧯 If You Can't Patch

Ensure channel_request_lookahead is set to 0 in all Waitress configurations
Implement network controls to block or monitor HTTP pipelining requests

🔍 How to Verify

Check if Vulnerable:

Check Waitress version and configuration: if version < 3.0.1 AND channel_request_lookahead > 0, system is vulnerable

Check Version:

pip show waitress | grep Version

Verify Fix Applied:

Confirm Waitress version is 3.0.1 or higher and channel_request_lookahead is 0 or the system is patched

📡 Detection & Monitoring

Log Indicators:

Multiple HTTP requests on same connection with parsing errors
Unexpected request processing after error responses

Network Indicators:

HTTP pipelining requests to Waitress servers
Multiple requests sent before receiving responses

SIEM Query:

source="waitress" AND ("parsing error" OR "HTTP/1.1" AND "pipelining")

📊 Metadata

CVE ID: CVE-2024-49768

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-367

Published: October 29, 2024

Last Updated: November 7, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-49768, you might also want to check these: