PT-2024-10401 · Tornado+9 · Tornado+9

Kexinoh

Published

2024-11-22

Updated

2026-06-03

CVE-2024-52804

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions Tornado versions prior to 6.4.2

Description The algorithm used for parsing HTTP cookies in Tornado sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests, potentially allowing a remote attacker to cause a denial of service.

Recommendations For versions prior to 6.4.2, update to version 6.4.2 to fix the issue. As a temporary workaround, consider restricting the size of HTTP cookie headers to minimize the risk of exploitation.

Exploit

Fix

DoS

Resource Exhaustion

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400CWE-770

Related Identifiers

ALSA-2024:10590

ALSA-2024_10590

ALSA-2025:2872

AZL-53522

AZL-53624

BDU:2025-00918

CESA-2025_2872

CVE-2024-52804

DLA-4007-1

GHSA-7PWV-G7HJ-39PR

GHSA-8W49-H785-MJ3C

INFSA-2024_10590

INFSA-2025_2471

INFSA-2025_2872

MGASA-2025-0060

OESA-2024-2509

OPENSUSE-SU-2024:14528-1

OPENSUSE-SU-2024_4137-1

RHSA-2024:10590

RHSA-2024:10836

RHSA-2024:10843

RHSA-2024_10590

RHSA-2025:2470

RHSA-2025:2471

RHSA-2025:2550

RHSA-2025:2872

RHSA-2025:2955

RHSA-2025:2956

RHSA-2025:3108

RHSA-2025:3109

RHSA-2025_2471

RHSA-2025_2872

RLSA-2024:10590

SUSE-SU-2024:4137-1

SUSE-SU-2025:20096-1

SUSE-SU-2025:20445-1

USN-7150-1

Affected Products

Almalinux

Astra Linux

Centos

Linuxmint

Red Hat

Red Os

Rocky Linux

Suse

Tornado

Ubuntu

PT-2024-10401 · Tornado+9 · Tornado+9

CVE-2024-52804

Weakness Enumeration

Related Identifiers

Affected Products

References · 70