CVE-2024-52804

NameCVE-2024-52804
DescriptionTornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. Version 6.4.2 fixes the issue.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1088112

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-tornado (PTS)bullseye6.1.0-1vulnerable
bookworm6.2.0-3vulnerable
sid, trixie6.4.2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-tornadosource(unstable)6.4.2-11088112

Notes

https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c
Fixed by: https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533 (v6.4.2)

Search for package or bug name: Reporting problems