Waitress vulnerable to DoS leading to high CPU usage/resource exhaustion
Description
Published to the GitHub Advisory Database
Oct 29, 2024
Reviewed
Oct 29, 2024
Published by the National Vulnerability Database
Oct 29, 2024
Last updated
Jan 21, 2025
Impact
When a remote client closes the connection before waitress has had the opportunity to call
getpeername()
waitress won't correctly clean up the connection leading to the main thread attempting to write to a socket that no longer exists, but not removing it from the list of sockets to attempt to process. This leads to a busy-loop calling the write function.A remote attacker could run waitress out of available sockets with very little resources required.
Patches
Waitress 3.0.1 contains fixes that remove the race condition.
Workarounds
No work-around.
References
References