Emmett · Emmett · CVE-2026-25577
**Name of the Vulnerable Software and Affected Versions**
Emmett versions prior to 1.3.11
**Description**
The `cookies` property in `emmett core.http.wrappers.Request` does not handle `CookieError` exceptions when parsing malformed Cookie headers. This allows unauthenticated attackers to trigger HTTP 500 errors and cause denial of service. Sending cookies containing special characters such as `/(){} `can result in insufficient error handling and a server error. The vulnerable code is located in `emmett core/http/wrappers/ init .py` at line 64. The issue can lead to performance degradation and difficulty in using the service normally.
**Recommendations**
Update to Emmett version 1.3.11 or later.