CVE-2024-52804
HIGH7.5EPSS 0.15%Tornado has an HTTP cookie parsing DoS vulnerability
Published: 11/22/2024Modified: 2/4/2026
Description
The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. See also CVE-2024-7592 for a similar vulnerability in cpython.
Affected packages (2)
- Debian/python-tornadofrom 0, < 6.1.0-1+deb11u1
- PyPI/tornadofrom 0, < 6.4.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-52804
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2024-52804
- PATCHhttps://github.com/tornadoweb/tornado
- WEBhttps://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533
- WEBhttps://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c
- WEBhttps://lists.debian.org/debian-lts-announce/2025/01/msg00000.html