Eventlet HTTP Request Smuggling Vulnerability in WSGI Parser

A vulnerability allowing HTTP request smuggling has been identified in Eventlet versions prior to 0.40.3. This issue arises from the WSGI parser's improper handling of HTTP trailer sections, which can enable attackers to bypass front-end security controls, launch targeted attacks against active site users, and poison web caches.

Impact

Exploitation of this vulnerability could lead to HTTP request smuggling, allowing attackers to manipulate the handling of HTTP requests and potentially bypass security controls or interfere with web cache management.

Remediation

Users can upgrade to Eventlet version 0.40.3 or later, which addresses the vulnerability by removing support for HTTP trailers. However, this change may disrupt setups that rely on trailers being processed. As a temporary measure, Eventlet's WSGI server should not be used with untrusted clients.