CVE-2024-52804
Python vulnerability analysis and mitigation

Overview

CVE-2024-52804 affects Tornado, a Python web framework and asynchronous networking library. The vulnerability exists in versions prior to 6.4.2, where the algorithm used for parsing HTTP cookies sometimes exhibits quadratic complexity. This vulnerability was discovered and disclosed on November 22, 2024, affecting all Tornado installations before version 6.4.2 (GitHub Advisory, NVD).

Technical details

The vulnerability stems from inefficient cookie parsing algorithms that can lead to quadratic complexity in certain scenarios. The parsing occurs in the event loop thread, which can significantly impact the application's performance. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The issue is classified under CWE-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling) (GitHub Advisory).

Impact

When exploited, this vulnerability can lead to excessive CPU consumption when parsing maliciously-crafted cookie headers. Since the parsing occurs in the event loop thread, it may block the processing of other requests, potentially resulting in a denial of service condition (GitHub Advisory).

Mitigation and workarounds

The vulnerability has been fixed in Tornado version 6.4.2. Users are strongly advised to upgrade to this version or later. The fix implements a more efficient algorithm for parsing HTTP cookies, replacing the previous quadratic complexity implementation with an optimized version based on Python 3.13's standard library (Tornado Commit).

Additional resources


SourceThis report was generated using AI

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management