CVE-2024-52804

Name	CVE-2024-52804
Description	Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. Version 6.4.2 fixes the issue.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	1088112

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
python-tornado (PTS)	bullseye	6.1.0-1	vulnerable
	bookworm	6.2.0-3	vulnerable
	sid, trixie	6.4.1-3	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
python-tornado	source	(unstable)	(unfixed)			1088112

Notes

https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c
Fixed by: https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533 (v6.4.2)