Vulnerability Database

309,364

Total vulnerabilities in the database

CVE-2024-52804

Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. Version 6.4.2 fixes the issue.

Published: Nov 22, 2024
Updated: Nov 4, 2025
CVE: CVE-2024-52804
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWEs:

CWE-400
CWE-770

Affected Software
References

Software	From	Fixed in
tornadoweb / tornado	-	6.4.2

https://github.com/advisories/GHSA-7pwv-g7hj-39pr
https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533
https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c
https://lists.debian.org/debian-lts-announce/2025/01/msg00000.html

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo