CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-7592: Quadratic complexity parsing cookies with backslashes

Description

There is a LOW severity vulnerability affecting CPython, specifically the
'http.cookies' standard library module.

When parsing cookies that contained backslashes for quoted characters in
the cookie value, the parser would use an algorithm with quadratic
complexity, resulting in excess CPU resources being used while parsing the
value.

Classification

CVE ID: CVE-2024-7592

Affected Products

Vendor: Python Software Foundation

Product: CPython

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.11% (probability of being exploited)

EPSS Percentile: 45.84% (scored less or equal to compared to others)

EPSS Date: 2025-03-01 (when was this score calculated)

References

Timeline

2025-02-01 00:30:38 UTC
CVE

Quadratic complexity parsing cookies with backslashes
2025-04-08 14:00:36 UTC
Tenable Plugins

Oracle Linux 9 : python3.11 (ELSA-2025-3634)
2025-04-14 06:00:44 UTC
Tenable Plugins

RHEL 9 : python3.11 (RHSA-2025:3634)
2025-04-14 06:00:45 UTC
Tenable Plugins

RHEL 9 : python3.12 (RHSA-2025:3631)