Impact
When waitress receives a header that contains invalid characters it will cause the regular expression engine to catastrophically backtrack causing the process to use 100% CPU time and blocking any other interactions.
This would allow an attacker…

As the 2020 election season kicks into high gear in the United States, people will visit YouTube to learn about the candidates and watch the election season unfold. Over the last few years, we’ve increased our efforts to make YouTube a more reliable so…

高橋幸宏「大人の純愛三部作」テーマは、天国、来世、幸福平成元年、1989年に『夜のヒットスタジオ』司…

インド：エアテル・ペイメンツ・バンクの顧客は間もなく、アプリを利用して一日24時間いつでもウエスタン…

Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user’s email address after case transformation of Unicode characters) would allow an attacker to be se…

常に時代の最先端を走り続ける音楽家・坂本龍一2020年1月17日に68歳の誕生日を迎える世界的な音楽…

In celebration of Coachella’s 20th anniversary, YouTube Originals is partnering with Coachella Valley Music and Arts Festival for a feature-length documentary, “Coachella: 20 Years in the Desert.” It is set to premiere March 31. The announcement comes …

Last September, we announced a series of changes to better protect kids and their privacy on YouTube and to address concerns raised by the U.S. Federal Trade Commission (FTC). Specifically, that all creators will be required to designate their content …

Impact
Waitress would header fold a double Content-Length header and due to being unable to cast the now comma separated value to an integer would set the Content-Length to 0 internally.
So a request with:
Content-Length: 10
Content-Length: 10

would g…

Impact
Waitress would parse the Transfer-Encoding header and only look for a single string value, if that value was not chunked it would fall through and use the Content-Length header instead.
According to the HTTP standard Transfer-Encoding should be …