CVE-2024-52804

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-52804
Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. Version 6.4.2 fixes the issue.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/advisories/GHSA-7pwv-g7hj-39pr Not Applicable
https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533 Patch
https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:tornadoweb:tornado:*:*:*:*:*:*:*:*
History

27 Aug 2025, 16:48

Type Values Removed Values Added
Summary
  • (es) Tornado es un framework web de Python y una librería de redes asincrónicas. El algoritmo utilizado para analizar las cookies HTTP en las versiones de Tornado anteriores a la 6.4.2 a veces tiene una complejidad cuadrática, lo que genera un consumo excesivo de CPU al analizar encabezados de cookies manipulado con fines malintencionados. Este análisis se produce en el hilo del bucle de eventos y puede bloquear el procesamiento de otras solicitudes. La versión 6.4.2 soluciona el problema.
First Time Tornadoweb tornado
Tornadoweb
CPE cpe:2.3:a:tornadoweb:tornado:*:*:*:*:*:*:*:*
References () https://github.com/advisories/GHSA-7pwv-g7hj-39pr - () https://github.com/advisories/GHSA-7pwv-g7hj-39pr - Not Applicable
References () https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533 - () https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533 - Patch
References () https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c - () https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c - Third Party Advisory

22 Nov 2024, 16:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-11-22 16:15

Updated : 2025-08-27 16:48

NVD link : CVE-2024-52804

Mitre link : CVE-2024-52804

CVE.ORG link : CVE-2024-52804

JSON object : View

Products Affected

tornadoweb

  • tornado
CWE
CWE-400

Uncontrolled Resource Consumption

CWE-770

Allocation of Resources Without Limits or Throttling