CVE-2024-52804: Tornado has an HTTP cookie parsing DoS vulnerability
(updated )
The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests.
See also CVE-2024-7592 for a similar vulnerability in cpython.
References
- github.com/advisories/GHSA-8w49-h785-mj3c
- github.com/tornadoweb/tornado
- github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533
- github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c
- lists.debian.org/debian-lts-announce/2025/01/msg00000.html
- nvd.nist.gov/vuln/detail/CVE-2024-52804
Code Behaviors & Features
Detect and mitigate CVE-2024-52804 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →