Description
Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. Version 6.4.2 fixes the issue.
References (4)
Core 4
Core References
Third Party Advisory x_refsource_confirm
https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c
Patch x_refsource_misc
https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533
Not Applicable x_refsource_misc
https://github.com/advisories/GHSA-7pwv-g7hj-39pr
Scores
CVSS v3
7.5
EPSS
0.0016
EPSS Percentile
36.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-770
CWE-400
Status
published
Products (2)
pypi/tornado
0 - 6.4.2PyPI
tornadoweb/tornado
< 6.4.2
Published
Nov 22, 2024
Tracked Since
Feb 18, 2026