HIGH🇬🇧 English

CVE-2024-52804

CVSS 7.5v3.1pub. 2024-11-22upd. 2025-11-03

Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. Version 6.4.2 fixes the issue.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • Tornadoweb Tornado

    APP
    Tornadoweb
    < 6.4.2
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
CWE
Referencje

Powiązane podatności

CVE-2026-35536HIGH7.2ten sam produkt

In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite argumen...

CVE-2026-31958HIGH8.7ten sam produkt

Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, ...

CVE-2025-67725HIGH7.5ten sam produkt

Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, a single m...

CVE-2025-67726HIGH7.5ten sam produkt

Tornado is a Python web framework and asynchronous networking library. Versions 6.5.2 and below use an ineffic...

CVE-2025-47287HIGH7.5ten sam produkt

Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/form-data`` ...

CVE-2024-52804 — HIGH 7.5 | CVEbaza.pl