CVE-2019-16789

Name: CVE-2019-16789
Creator: NVD / NIST
Published: 2019-12-26T17:15:13.707+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 8.2/10EPSS 2.59%

Last modified Jun 17, 2026

CVE-2019-16789 is a high-severity vulnerability rated 8.2/10 on the CVSS scale. In Waitress through version 1.4.0, if a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for HTTP request smuggling. Specially crafted requests containing special whitespace characters in the Transfer-Encoding header would get parsed by Waitress as being a chunked request, but a front-end server would use the Content-Length instead as the Transfer-Encoding header is considered invalid due to containing invalid characters. EPSS estimates a 2.59% chance of exploitation in the next 30 days.

Description

In Waitress through version 1.4.0, if a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for HTTP request smuggling. Specially crafted requests containing special whitespace characters in the Transfer-Encoding header would get parsed by Waitress as being a chunked request, but a front-end server would use the Content-Length instead as the Transfer-Encoding header is considered invalid due to containing invalid characters. If a front-end server does HTTP pipelining to a backend Waitress server this could lead to HTTP request splitting which may lead to potential cache poisoning or unexpected information disclosure. This issue is fixed in Waitress 1.4.1 through more strict HTTP field validation.

Metrics

CVSS 3.1

8.2/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

EPSS Probability

2.59%

83.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Agendaless	Waitress	<= 1.4.0
Oracle	Communications Cloud Native Core Network Function Cloud Native Environment	1.10.0
Debian	Debian Linux	9.0
Fedoraproject	Fedora	30
Fedoraproject	Fedora	31
Redhat	Openstack	15

References

https://access.redhat.com/errata/RHSA-2020:0720Third Party Advisory
https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixesRelease Notes, Vendor Advisory
https://github.com/Pylons/waitress/commit/11d9e138125ad46e951027184b13242a3c1de017Patch, Third Party Advisory
https://github.com/github/advisory-review/pull/14604Broken Link, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/05/msg00011.htmlMailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GVDHR2DNKCNQ7YQXISJ45NT4IQDX3LJ7/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LYEOTGWJZVKPRXX2HBNVIYWCX73QYPM5/
https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0720Third Party Advisory
https://docs.pylonsproject.org/projects/waitress/en/latest/#security-fixesRelease Notes, Vendor Advisory
https://github.com/Pylons/waitress/commit/11d9e138125ad46e951027184b13242a3c1de017Patch, Third Party Advisory
https://github.com/github/advisory-review/pull/14604Broken Link, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/05/msg00011.htmlMailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GVDHR2DNKCNQ7YQXISJ45NT4IQDX3LJ7/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LYEOTGWJZVKPRXX2HBNVIYWCX73QYPM5/
https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory

Timeline

Published: Dec 26, 2019
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2019-16789?

How severe is CVE-2019-16789?

CVE-2019-16789 has a CVSS score of 8.2/10 (HIGH severity). The EPSS model estimates a 2.59% probability of exploitation in the next 30 days.

How do I fix CVE-2019-16789?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2019-16789?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST