CVE-2024-52804 in tornadoinfo

Summary

by MITRE • 11/22/2024

Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. Version 6.4.2 fixes the issue.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 08/27/2025

The vulnerability identified as CVE-2024-52804 affects the Tornado web framework, a popular Python asynchronous networking library that serves as both a web framework and an event-driven network I/O framework. This issue stems from an inefficient algorithm implementation in the HTTP cookie parsing mechanism that existed in Tornado versions prior to 6.4.2. The flaw manifests when the framework processes HTTP cookie headers, specifically when encountering maliciously crafted cookie data that triggers the problematic parsing logic.

The technical root cause of this vulnerability lies in the cookie parsing algorithm's time complexity characteristics. When Tornado processes HTTP cookie headers, it employs an algorithm that exhibits quadratic time complexity under certain conditions. This means that as the size of the cookie data increases, the processing time grows exponentially rather than linearly. The vulnerability becomes particularly pronounced when attackers craft cookie headers with specific patterns that force the parser into inefficient execution paths. The algorithmic inefficiency occurs within the event loop thread context, which is critical because this thread handles all incoming requests and manages the asynchronous processing of the web application.

The operational impact of this vulnerability is significant for systems running affected Tornado versions. Since the cookie parsing occurs in the event loop thread, maliciously crafted cookie headers can cause substantial CPU consumption that blocks the processing of legitimate requests. This creates a denial of service condition where the server becomes unresponsive to legitimate traffic while consuming excessive computational resources. The vulnerability affects the overall performance and availability of web applications built on Tornado, potentially allowing attackers to exhaust system resources and prevent normal operation of the service. The blocking nature of the event loop thread means that other concurrent requests cannot be processed until the malicious cookie parsing completes, which can take considerable time depending on the complexity of the crafted input.

This vulnerability aligns with CWE-798, which addresses the use of hard-coded credentials and related security weaknesses, and more specifically with CWE-400, which covers unchecked resource consumption. The issue also maps to ATT&CK technique T1496, which involves resource exhaustion attacks, and T1070, which deals with indicator removal on host. Organizations using Tornado web applications should prioritize updating to version 6.4.2 or later to address this vulnerability, as the fix implements a more efficient parsing algorithm that eliminates the quadratic complexity. Additionally, implementing proper input validation and rate limiting mechanisms can provide additional defense-in-depth measures, though the primary mitigation remains the software update to the patched version. The vulnerability demonstrates the importance of algorithmic efficiency in security-critical components and highlights how seemingly minor implementation details can lead to significant performance and availability impacts in web applications.

Responsible

GitHub M

Reservation

11/15/2024

Disclosure

11/22/2024

Moderation

accepted

CPE

ready

EPSS

0.01051

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!