A use-after-free vulnerability in the Crow HTTP Framework owing to the input reader being agnostic to HTTP Pipelining (sending more than one HTTP request without waiting for a response on the same connection) and asynchronous workers tracking state expecting one request per connection.

One of the specific situations called out is regarding the Connection::check_destroy() method which will delete the connection object after both the is_reading and is_writing flags are cleared. These flags are being modified without regard to how many requests have come through. So for example two requests come in, queueing up two write actions. After the first write action the is_writting flag will be cleared and Connection::check_destroy() is called despite the fact that there is still the second write in the queue.

The author also calls out a worrying pattern of potentially blatent use-after-frees where check_destroy is called, and then the application continues to operate on the connection regardless of the response.