CVE-2024-7592: 
NixOS vulnerability analysis and mitigation

CVE-2024-7592 is a vulnerability affecting CPython's 'http.cookies' standard library module, discovered and disclosed on August 19, 2024. The vulnerability affects Python versions up to 3.12.5, including versions 3.8.x through 3.12.x. When parsing cookies containing backslashes for quoted characters in cookie values, the parser would use an algorithm with quadratic complexity (Python Security).

The vulnerability stems from inefficient regular expression complexity in the unquote() method of the http.cookies module. The function uses regular expressions OctalPatt and _QuotePatt within a while loop to process input strings, which can lead to quadratic time complexity under certain conditions. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can result in excessive CPU resource consumption when parsing cookie values containing backslashes. Testing has shown that cookie sizes of 8000+ bytes caused delays of approximately 0.15 seconds per HTTP request, while cookie sizes of 20000+ bytes resulted in delays of about 1 second per request. This could potentially lead to Denial of Service (DoS) conditions (GitHub Issue).

Patches have been released for affected Python versions. The fix involves optimizing the cookie parsing algorithm to prevent quadratic complexity. Updates are available in Python versions 3.8.20, 3.9.20, 3.10.15, 3.11.10, and 3.12.6. Users are advised to upgrade to these patched versions (GitHub PR).

The vulnerability has been classified as LOW severity by Python developers, despite its high CVSS score. Various organizations have responded by incorporating the fixes, including NetApp, which has issued advisories and patches for their affected products (NetApp Advisory).