CVE-2024-7592

Public Exploit
Quadratic complexity parsing cookies with backslashes

Description

There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.

Categories

7.5
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.26%
Vendor Advisory python.org
Affected: Python Software Foundation CPython
Published at:
Updated at:

References

Link Tags
https://github.com/python/cpython/pull/123075 patch issue tracking
https://github.com/python/cpython/issues/123067 patch issue tracking exploit
https://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/ vendor advisory mailing list
https://github.com/python/cpython/commit/391e5626e3ee5af267b97e37abc7475732e67621 patch
https://github.com/python/cpython/commit/dcc3eaef98cd94d6cb6cb0f44bd1c903d04f33b1 patch
https://github.com/python/cpython/commit/a77ab24427a18bff817025adb03ca920dc3f1a06 patch
https://github.com/python/cpython/commit/b2f11ca7667e4d57c71c1c88b255115f16042d9a patch
https://github.com/python/cpython/commit/d4ac921a4b081f7f996a5d2b101684b67ba0ed7f patch
https://github.com/python/cpython/commit/d662e2db2605515a767f88ad48096b8ac623c774 patch
https://github.com/python/cpython/commit/44e458357fca05ca0ae2658d62c8c595b048b5ef patch
https://security.netapp.com/advisory/ntap-20241018-0006/ third party advisory

Frequently Asked Questions

What is the severity of CVE-2024-7592?
CVE-2024-7592 has been scored as a high severity vulnerability.
How to fix CVE-2024-7592?
To fix CVE-2024-7592, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-7592 being actively exploited in the wild?
It is possible that CVE-2024-7592 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-7592?
CVE-2024-7592 affects Python Software Foundation CPython.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.