Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS04dzQ5LWg3ODUtbWozY84ABBnk

Tornado has an HTTP cookie parsing DoS vulnerability

The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests.

See also CVE-2024-7592 for a similar vulnerability in cpython.

Permalink: https://github.com/advisories/GHSA-8w49-h785-mj3c
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04dzQ5LWg3ODUtbWozY84ABBnk
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 18 days ago
Updated: 18 days ago


CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Percentage: 0.00045
EPSS Percentile: 0.17556

Identifiers: GHSA-8w49-h785-mj3c, CVE-2024-52804
References: Repository: https://github.com/tornadoweb/tornado
Blast Radius: 37.9

Affected Packages

pypi:tornado
Dependent packages: 853
Dependent repositories: 113,286
Downloads: 52,334,970 last month
Affected Version Ranges: <= 6.4.1
Fixed in: 6.4.2
All affected versions: 1.1.1, 1.2.1, 2.1.1, 2.2.1, 2.4.1, 3.0.1, 3.0.2, 3.1.1, 3.2.1, 3.2.2, 4.0.1, 4.0.2, 4.2.1, 4.4.1, 4.4.2, 4.4.3, 4.5.1, 4.5.2, 4.5.3, 5.0.1, 5.0.2, 5.1.1, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.3.1, 6.3.2, 6.3.3, 6.4.1
All unaffected versions: 6.4.2