CVE-2024-52804

NameCVE-2024-52804
DescriptionTornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. Version 6.4.2 fixes the issue.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1088112

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-tornado (PTS)jessie3.2.2-1.1vulnerable
stretch4.4.3-1vulnerable
buster5.1.1-4vulnerable
bullseye6.1.0-1vulnerable
bookworm6.2.0-3vulnerable
sid, trixie6.4.1-3vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-tornadosource(unstable)(unfixed)1088112

Notes

https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c
Fixed by: https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533 (v6.4.2)

Search for package or bug name: Reporting problems