CVE-2020-5236: 
Python vulnerability analysis and mitigation

CVE-2020-5236 is a critical vulnerability discovered in the Waitress web server package affecting version 1.4.2. The vulnerability was disclosed on February 3, 2020, and involves a catastrophic backtracking issue in regular expressions that could lead to denial of service attacks. The issue was patched in version 1.4.3 (GitHub Advisory).

The vulnerability stems from a regular expression pattern matching issue introduced when attempting to comply with RFC7230 errata. When Waitress receives a header containing invalid characters, it triggers catastrophic backtracking in the regular expression engine, causing the process to consume 100% CPU time. The issue can be triggered with a simple malformed header, where increasing the number of repeated characters exponentially increases the processing time (GitHub Advisory).

The vulnerability allows an attacker to send a single request with an invalid header to effectively take the service offline by consuming all available CPU resources. This makes the service unresponsive to other legitimate requests, resulting in a denial of service condition (GitHub Advisory).

The primary mitigation is to upgrade to Waitress version 1.4.3 or later, which contains a fixed version of the regular expression used to validate incoming headers. As a workaround, organizations using a reverse proxy in front of Waitress may already have some protection if the proxy rejects requests containing invalid headers (GitHub Advisory).