CVE-2024-7592
📋 TL;DR
A denial-of-service vulnerability in CPython's http.cookies module where parsing cookies containing backslashes in quoted values triggers quadratic complexity algorithms, causing excessive CPU consumption. This affects any Python application using the standard library's cookie parsing functionality. The vulnerability is rated LOW severity but has a CVSS score of 7.5 due to resource exhaustion potential.
💻 Affected Systems
- CPython
📦 What is this software?
Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability due to CPU exhaustion from specially crafted cookies, potentially causing extended downtime.
Likely Case
Degraded performance and increased resource usage when parsing malicious cookies, leading to slower response times.
If Mitigated
Minimal impact with proper input validation and rate limiting in place.
🎯 Exploit Status
Exploitation requires sending specially crafted cookies with backslashes in quoted values to trigger the quadratic parsing algorithm.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Python releases incorporating commits: 391e5626e3ee5af267b97e37abc7475732e67621, 44e458357fca05ca0ae2658d62c8c595b048b5ef, a77ab24427a18bff817025adb03ca920dc3f1a06, b2f11ca7667e4d57c71c1c88b255115f16042d9a, d4ac921a4b081f7f996a5d2b101684b67ba0ed7f
Vendor Advisory: https://github.com/python/cpython/security/advisories
Restart Required: Yes
Instructions:
1. Identify Python version in use. 2. Update to patched Python version. 3. Restart all Python applications/services. 4. Verify fix by testing cookie parsing functionality.
🔧 Temporary Workarounds
Input Validation Filter
allImplement cookie value validation to reject or sanitize cookies containing backslashes in quoted values.
Rate Limiting
allImplement rate limiting on cookie parsing endpoints to mitigate DoS impact.
🧯 If You Can't Patch
- Implement Web Application Firewall (WAF) rules to block cookies with suspicious patterns containing backslashes.
- Monitor CPU usage on servers parsing cookies and implement alerting for abnormal spikes.
🔍 How to Verify
Check if Vulnerable:
Check if Python version is affected by examining commit history or testing with crafted cookies containing backslashes in quoted values.Check Version:
python --versionVerify Fix Applied:
Test cookie parsing with backslash-containing values and monitor CPU usage - should no longer show quadratic growth.📡 Detection & Monitoring
Log Indicators:
- Unusually high CPU usage on servers parsing cookies
- Multiple failed cookie parsing attempts
Network Indicators:
- HTTP requests with unusually large or malformed cookie headers
SIEM Query:
source="web_server" AND (cookie_header CONTAINS "\\" OR cpu_usage > 90%)🔗 References
- https://github.com/python/cpython/commit/391e5626e3ee5af267b97e37abc7475732e67621
- https://github.com/python/cpython/commit/44e458357fca05ca0ae2658d62c8c595b048b5ef
- https://github.com/python/cpython/commit/a77ab24427a18bff817025adb03ca920dc3f1a06
- https://github.com/python/cpython/commit/b2f11ca7667e4d57c71c1c88b255115f16042d9a
- https://github.com/python/cpython/commit/d4ac921a4b081f7f996a5d2b101684b67ba0ed7f
- https://github.com/python/cpython/commit/d662e2db2605515a767f88ad48096b8ac623c774
- https://github.com/python/cpython/commit/dcc3eaef98cd94d6cb6cb0f44bd1c903d04f33b1
- https://github.com/python/cpython/issues/123067
- https://github.com/python/cpython/pull/123075
- https://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/
- https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html
- https://security.netapp.com/advisory/ntap-20241018-0006/
