CVE-2024-52804

HIGH EPSS 60.0%
Published Nov 22, 20241y ago · Modified Jun 17, 20261w ago
7.5 CVSS 3.1
High
Find Similar
Published Nov 22, 2024 1y ago
Last Modified Jun 17, 2026 1w ago

Description

Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. Version 6.4.2 fixes the issue.

CVSS Details

Base Score
7.5
Exploitability
3.9
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
60.0% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 2

CWE-400 Uncontrolled Resource Consumption Resource Mgmt
CWE-770

Affected Products 1

VendorProductVersionRange
tornadowebtornado* <6.4.2

References 4

  • github.com https://github.com/advisories/GHSA-7pwv-g7hj-39pr
    Not Applicable
  • github.com https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533
    Patch
  • github.com https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c
    Third Party Advisory
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/01/msg00000.html

Remediation

  • github.com https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533
    Patch