CVE-2024-52804
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-52804
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-52804.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-52804
- Aliases
- Downstream
- Related
- Published
- 2024-11-22T15:43:38Z
- Modified
- 2025-10-20T20:29:24.257298Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Tornado has HTTP cookie parsing DoS vulnerability
- Details
-
Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. Version 6.4.2 fixes the issue.
- Database specific
{ "cwe_ids": [ "CWE-400", "CWE-770" ] }- References
Affected packages
Git / github.com/tornadoweb/tornado
Affected ranges
- Type
- GIT
- Repo
- https://github.com/tornadoweb/tornado
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v1.*
v1.0.0
v1.1.0
v1.1.1
v1.2.0
v1.2.1
v2.*
v2.0.0
v2.1.0
v2.1.1
v2.2.0
v2.2.1
v2.3.0
v2.4.0
v2.4.1
v3.*
v3.0.0
v3.0.1
v3.0.2
v3.1.0
v3.1.1
v3.2.0
v3.2.0b1
v3.2.0b2
v3.2.1
v3.2.2
v4.*
v4.0.0
v4.0.0b1
v4.0.0b2
v4.0.0b3
v4.0.1
v4.0.2
v4.1.0
v4.1.0b1
v4.1.0b2
v4.2.0
v4.2.0b1
v4.2.1
v4.3.0
v4.3.0b1
v4.3.0b2
v4.4.0
v4.4.0b1
v4.4.1
v4.4.2
v4.4.3
v4.5.0
v4.5.1
v4.5.2
v4.5.3
v5.*
v5.0.0
v5.0.1
v5.1.0
v5.1.0b1
v6.*
v6.0.0
v6.0.0b1
v6.1.0
v6.1.0b1
v6.1.0b2
v6.2.0
v6.2.0b1
v6.2.0b2
v6.3.0
v6.3.0b1
v6.3.1
v6.4.0
v6.4.0b1
v6.4.1