
Cloud Vulnerability DB
A community-led vulnerabilities database
CVE-2024-52804 affects Tornado, a Python web framework and asynchronous networking library. The vulnerability exists in versions prior to 6.4.2, where the algorithm used for parsing HTTP cookies sometimes exhibits quadratic complexity. This vulnerability was discovered and disclosed on November 22, 2024, affecting all Tornado installations before version 6.4.2 (GitHub Advisory, NVD).
The vulnerability stems from inefficient cookie parsing algorithms that can lead to quadratic complexity in certain scenarios. The parsing occurs in the event loop thread, which can significantly impact the application's performance. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The issue is classified under CWE-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling) (GitHub Advisory).
When exploited, this vulnerability can lead to excessive CPU consumption when parsing maliciously-crafted cookie headers. Since the parsing occurs in the event loop thread, it may block the processing of other requests, potentially resulting in a denial of service condition (GitHub Advisory).
The vulnerability has been fixed in Tornado version 6.4.2. Users are strongly advised to upgrade to this version or later. The fix implements a more efficient algorithm for parsing HTTP cookies, replacing the previous quadratic complexity implementation with an optimized version based on Python 3.13's standard library (Tornado Commit).
Source: This report was generated using AI
Free Vulnerability Assessment
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
"We know that if Wiz identifies something as critical, it actually is."