CVE-2024-52804 Overview
CVE-2024-52804 is an Algorithmic Complexity Attack vulnerability in Tornado, a popular Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests, causing a denial of service condition.
Critical Impact
Attackers can exploit this vulnerability to cause excessive CPU consumption by sending specially crafted cookie headers, effectively blocking the event loop and preventing the server from processing legitimate requests.
Affected Products
- Tornadoweb Tornado versions prior to 6.4.2
Discovery Timeline
- November 22, 2024 - CVE CVE-2024-52804 published to NVD
- November 3, 2025 - Last updated in NVD database
Technical Details for CVE-2024-52804
Vulnerability Analysis
This vulnerability exists in the HTTP cookie parsing functionality within Tornado's httputil.py module. The flaw stems from the use of an inefficient algorithm that exhibits quadratic time complexity O(n²) when processing certain cookie header patterns. When the event loop thread processes a maliciously crafted cookie header, the parsing operation can consume disproportionate CPU resources relative to the input size.
The vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption), which covers scenarios where an application fails to properly limit the resources it consumes. In this case, the CPU time consumed during cookie parsing can grow exponentially with specifically crafted input, allowing an attacker to tie up server resources with minimal effort.
Since Tornado uses an asynchronous, single-threaded event loop architecture, blocking operations in the event loop have a cascading effect on all other requests being processed. An attacker exploiting this vulnerability could effectively deny service to all users of the application.
Root Cause
The root cause lies in the original _unquote_cookie function implementation, which was copied from Python's standard library (http.cookies._unquote). The vulnerable code used two separate regular expression patterns (_OctalPatt and _QuotePatt) that were applied iteratively, resulting in quadratic complexity when processing cookies with many escape sequences. Each pattern match and string operation compounded the computational cost.
Attack Vector
This vulnerability can be exploited remotely over the network without authentication. An attacker needs only to send HTTP requests with maliciously crafted Cookie headers to a Tornado-based application. The attack requires no special privileges and no user interaction. The crafted cookies contain patterns that maximize the iteration count of the vulnerable parsing algorithm, causing CPU exhaustion on the server.
yield (k, v)
-_OctalPatt = re.compile(r"\\[0-3][0-7][0-7]")
-_QuotePatt = re.compile(r"[\\].")
-_nulljoin = "".join
+_unquote_sub = re.compile(r"\\(?:([0-3][0-7][0-7])|(.))")..sub
+
+
+def _unquote_replace(m: re.Match) -> str:
+ if m[1]:
+ return chr(int(m[1], 8))
+ else:
+ return m[2]
def _unquote_cookie(s: str) -> str:
"""Handle double quotes and escaping in cookie values.
- This method is copied verbatim from the Python 3.5 standard
+ This method is copied verbatim from the Python 3.13 standard
library (http.cookies._unquote) so we don't have to depend on
non-public interfaces.
"""
Source: GitHub Tornado Commit
The fix replaces the inefficient dual-pattern approach with a single compiled regex substitution (_unquote_sub) that handles both octal escapes and other escaped characters in a single pass, reducing the complexity from O(n²) to O(n).
Detection Methods for CVE-2024-52804
Indicators of Compromise
- Unusually high CPU utilization on servers running Tornado applications
- Slow response times or timeouts across all endpoints during attack periods
- HTTP requests containing abnormally large or complex Cookie headers with multiple escape sequences
- Event loop blocking indicators in application logs
Detection Strategies
- Monitor for HTTP requests with Cookie headers exceeding normal size thresholds or containing unusual patterns of escape sequences
- Implement request rate limiting and cookie size validation at the reverse proxy or load balancer level
- Deploy application performance monitoring (APM) to detect event loop blocking events
- Analyze web server access logs for requests with anomalous cookie patterns
Monitoring Recommendations
- Set up alerts for sustained high CPU usage on Tornado application servers
- Monitor request latency percentiles (p95, p99) for sudden degradation indicating potential DoS
- Implement logging for requests that exceed cookie parsing time thresholds
- Use SentinelOne Singularity Platform to monitor for resource exhaustion patterns indicative of algorithmic complexity attacks
How to Mitigate CVE-2024-52804
Immediate Actions Required
- Upgrade Tornado to version 6.4.2 or later immediately
- Implement request filtering at the edge to limit cookie header sizes
- Consider deploying a web application firewall (WAF) with rules to detect abnormally complex cookie patterns
- Review all applications using Tornado and prioritize patching based on exposure
Patch Information
The vulnerability is fixed in Tornado version 6.4.2. The patch updates the _unquote_cookie function in tornado/httputil.py to use a more efficient single-pass regex substitution approach, based on the implementation from Python 3.13's standard library. The fix is available in the official Tornado commit.
Additional security advisories are available at the GitHub Security Advisory. Debian users should refer to the Debian LTS Announcement for distribution-specific patches.
Workarounds
- Deploy a reverse proxy (nginx, HAProxy) in front of Tornado applications with cookie header size limits
- Implement middleware to pre-validate and reject cookies exceeding reasonable complexity thresholds before they reach Tornado's parser
- Use connection timeouts and request rate limiting to minimize the impact of exploitation attempts
- Consider running multiple Tornado instances behind a load balancer to distribute the impact of potential attacks
# Example nginx configuration to limit cookie header size
# Add to nginx server block configuration
large_client_header_buffers 4 8k;
# Reject requests with excessively large cookies
if ($http_cookie ~* ".{4096,}") {
return 413;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
