Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-3y8v-vsd8-ubba
Vulnerability ID VCID-3y8v-vsd8-ubba
Aliases CVE-2024-52804
GHSA-8w49-h785-mj3c
Summary Tornado has an HTTP cookie parsing DoS vulnerability The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. See also CVE-2024-7592 for a similar vulnerability in cpython.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (5)
CWE-400 Uncontrolled Resource Consumption
CWE-770 Allocation of Resources Without Limits or Throttling
CWE-1333 Inefficient Regular Expression Complexity
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-52804.json
epss 0.00118 https://api.first.org/data/v1/epss?cve=CVE-2024-52804
epss 0.00118 https://api.first.org/data/v1/epss?cve=CVE-2024-52804
epss 0.00118 https://api.first.org/data/v1/epss?cve=CVE-2024-52804
epss 0.00118 https://api.first.org/data/v1/epss?cve=CVE-2024-52804
epss 0.00118 https://api.first.org/data/v1/epss?cve=CVE-2024-52804
epss 0.00118 https://api.first.org/data/v1/epss?cve=CVE-2024-52804
epss 0.00118 https://api.first.org/data/v1/epss?cve=CVE-2024-52804
epss 0.00118 https://api.first.org/data/v1/epss?cve=CVE-2024-52804
epss 0.00118 https://api.first.org/data/v1/epss?cve=CVE-2024-52804
epss 0.00118 https://api.first.org/data/v1/epss?cve=CVE-2024-52804
epss 0.00145 https://api.first.org/data/v1/epss?cve=CVE-2024-52804
epss 0.00145 https://api.first.org/data/v1/epss?cve=CVE-2024-52804
epss 0.00145 https://api.first.org/data/v1/epss?cve=CVE-2024-52804
epss 0.00145 https://api.first.org/data/v1/epss?cve=CVE-2024-52804
cvssv3.1 5.3 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1 7.5 https://github.com/advisories/GHSA-7pwv-g7hj-39pr
ssvc Track https://github.com/advisories/GHSA-7pwv-g7hj-39pr
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-8w49-h785-mj3c
cvssv3.1 7.5 https://github.com/tornadoweb/tornado
generic_textual HIGH https://github.com/tornadoweb/tornado
cvssv3.1 7.5 https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533
generic_textual HIGH https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533
ssvc Track https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533
cvssv3.1 7.5 https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c
cvssv3.1_qr HIGH https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c
generic_textual HIGH https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c
ssvc Track https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c
cvssv3.1 7.5 https://lists.debian.org/debian-lts-announce/2025/01/msg00000.html
generic_textual HIGH https://lists.debian.org/debian-lts-announce/2025/01/msg00000.html
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2024-52804
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2024-52804
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-52804.json
https://api.first.org/data/v1/epss?cve=CVE-2024-52804
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52804
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/tornadoweb/tornado
https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533
https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c
https://lists.debian.org/debian-lts-announce/2025/01/msg00000.html
https://nvd.nist.gov/vuln/detail/CVE-2024-52804
1088112 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088112
2328045 https://bugzilla.redhat.com/show_bug.cgi?id=2328045
GHSA-7pwv-g7hj-39pr https://github.com/advisories/GHSA-7pwv-g7hj-39pr
GHSA-8w49-h785-mj3c https://github.com/advisories/GHSA-8w49-h785-mj3c
RHSA-2024:10590 https://access.redhat.com/errata/RHSA-2024:10590
RHSA-2024:10836 https://access.redhat.com/errata/RHSA-2024:10836
RHSA-2024:10843 https://access.redhat.com/errata/RHSA-2024:10843
RHSA-2025:2470 https://access.redhat.com/errata/RHSA-2025:2470
RHSA-2025:2471 https://access.redhat.com/errata/RHSA-2025:2471
RHSA-2025:2550 https://access.redhat.com/errata/RHSA-2025:2550
RHSA-2025:2872 https://access.redhat.com/errata/RHSA-2025:2872
RHSA-2025:2955 https://access.redhat.com/errata/RHSA-2025:2955
RHSA-2025:2956 https://access.redhat.com/errata/RHSA-2025:2956
RHSA-2025:3108 https://access.redhat.com/errata/RHSA-2025:3108
RHSA-2025:3109 https://access.redhat.com/errata/RHSA-2025:3109
USN-7150-1 https://usn.ubuntu.com/7150-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-52804.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/advisories/GHSA-7pwv-g7hj-39pr
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-25T17:54:41Z/ Found at https://github.com/advisories/GHSA-7pwv-g7hj-39pr
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/tornadoweb/tornado
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-25T17:54:41Z/ Found at https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-25T17:54:41Z/ Found at https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://lists.debian.org/debian-lts-announce/2025/01/msg00000.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2024-52804
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.3082
EPSS Score 0.00118
Published At April 2, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:51:14.992088+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-8w49-h785-mj3c/GHSA-8w49-h785-mj3c.json 38.0.0