The vulnerability stems from improper handling of HTTP chunked transfer encoding trailers in WSGIServer. The commit shows critical modifications to __read_chunk_length (added strict validation of HEX characters, chunk size limits, and trailer processing) and handle_one_response (added error handling for invalid client input). The CVE description explicitly mentions crafted chunk trailers being misinterpreted as new requests, which aligns with the pre-patch behavior of these functions. Test cases in test__pywsgi.py demonstrate scenarios where malicious trailers could be smuggled as new requests.