CVE-2024-52804 HIGH

CVE-2024-52804: Tornado has HTTP cookie parsing DoS vulnerability

Vendor Tornadoweb
Product tornado
Weakness CWE-400
Published November 22, 2024
Last update November 3, 2025

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. Version 6.4.2 fixes the issue.

Key dates

02Disclosure timeline

November 22, 2024 CVE published
November 3, 2025 Record updated