Tornado HTTP Cookie Parsing DoS Vulnerability (High Severity)

2024-11-22

Platform: Tornado

Version: Prior to 6.4.2

Vulnerability: HTTP Cookie Parsing DoS

Severity: High

Date: November 22, 2024

What Undercode Says:

Tornado versions before 6.4.2 have a vulnerability in their HTTP cookie parsing algorithm. This algorithm can become extremely slow (quadratic complexity) when handling specially crafted cookie headers from an attacker. This slow parsing can consume excessive CPU resources, potentially blocking the server from processing legitimate requests (Denial-of-Service).

Explanation:

– Vulnerable Tornado versions use an inefficient algorithm to parse HTTP cookies.
– Malicious actors can send crafted cookie headers that exploit this inefficiency.
– Exploiting this vulnerability can lead to high CPU usage, impacting server performance.
– This can prevent the server from responding to legitimate requests (DoS).

Recommendation:

Upgrade Tornado to version 6.4.2 or later. This version includes a fix for the vulnerable cookie parsing algorithm.

References:

Reported By: Github.com
Undercode AI: https://ai.undercodetesting.com

Image Source:

OpenAI: https://openai.com
Undercode AI DI v2: https://ai.undercode.helpFeatured Image

Scroll to Top