CVE-2024-52804

Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. Version 6.4.2 fixes the issue.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/advisories/GHSA-7pwv-g7hj-39pr	Not Applicable
https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533	Patch
https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:tornadoweb:tornado:*:*:*:*:*:*:*:*

History

27 Aug 2025, 16:48

Type	Values Removed	Values Added
References	~~() https://github.com/advisories/GHSA-7pwv-g7hj-39pr -~~	() https://github.com/advisories/GHSA-7pwv-g7hj-39pr - Not Applicable
References	~~() https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533 -~~	() https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533 - Patch
References	~~() https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c -~~	() https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c - Third Party Advisory
First Time		Tornadoweb Tornadoweb tornado
CPE		cpe:2.3:a:tornadoweb:tornado::::::::

Information

Published : 2024-11-22 16:15

Updated : 2025-08-27 16:48

NVD link : CVE-2024-52804

Mitre link : CVE-2024-52804

CVE.ORG link : CVE-2024-52804

JSON object : View

Products Affected

tornadoweb

tornado

CWE

CWE-400

Uncontrolled Resource Consumption

CWE-770

Allocation of Resources Without Limits or Throttling

{"id": "CVE-2024-52804", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-11-22T16:15:34.417", "references": [{"url": "https://github.com/advisories/GHSA-7pwv-g7hj-39pr", "tags": ["Not Applicable"], "source": "security-advisories@github.com"}, {"url": "https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-770"}]}], "descriptions": [{"lang": "en", "value": "Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. Version 6.4.2 fixes the issue."}, {"lang": "es", "value": "Tornado es un framework web de Python y una librer\u00eda de redes asincr\u00f3nicas. El algoritmo utilizado para analizar las cookies HTTP en las versiones de Tornado anteriores a la 6.4.2 a veces tiene una complejidad cuadr\u00e1tica, lo que genera un consumo excesivo de CPU al analizar encabezados de cookies manipulado con fines malintencionados. Este an\u00e1lisis se produce en el hilo del bucle de eventos y puede bloquear el procesamiento de otras solicitudes. La versi\u00f3n 6.4.2 soluciona el problema."}], "lastModified": "2025-08-27T16:48:04.733", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:tornadoweb:tornado:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6F76085D-6918-4959-959D-9B8A0DFD4724", "versionEndExcluding": "6.4.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}