Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

CVE-2024-7592: Denial of Service Vulnerability in http.cookies._unquote() #123067

New issue
Copy link
New issue
Copy link
Closed
Closed
CVE-2024-7592: Denial of Service Vulnerability in http.cookies._unquote()#123067
Copy link
Labels
type-bugAn unexpected behavior, bug, or errorAn unexpected behavior, bug, or errortype-securityA security issueA security issue
@ch4n3-yoon

Description

@ch4n3-yoon
ch4n3-yoon
opened on Aug 16, 2024
Issue body actions

Bug report

Bug description:

Description

A potential Denial of Service (DoS) vulnerability, identified as CVE-2024-7592, has been discovered in the _unquote() method of the http.cookies module in Python's standard library. This vulnerability is particularly concerning as it affects frameworks that utilize this method, including Django.

Vulnerable Code

The _unquote() function uses regular expressions _OctalPatt and _QuotePatt within a while loop to process input strings. The problematic patterns and their application can lead to exponential time complexity under certain conditions, akin to a Regular Expression Denial of Service (ReDoS) attack.

# http/cookies.py
_OctalPatt = re.compile(r"\\[0-3][0-7][0-7]")
_QuotePatt = re.compile(r"[\\].")
def _unquote(str):
    # ... (code omitted for brevity)
    while 0 <= i < n:
        o_match = _OctalPatt.search(str, i)
        q_match = _QuotePatt.search(str, i)
        # ... (further processing)

Impact

This vulnerability has also been verified in the Django framework, where the parse_cookie() function uses this method to process incoming cookie headers. This could potentially be exploited by sending specially crafted cookie values to trigger significant delays:

  • Cookie sizes of 8000+ bytes caused delays of approximately 0.15 seconds per HTTP request.
  • Cookie sizes of 20000+ bytes resulted in delays of about 1 second per request.

While many environments limit HTTP request sizes, the specific limits vary, and in some cases, this vulnerability could be exploited.

CPython versions tested on:

CPython main branch

Operating systems tested on:

Linux

Linked PRs

Metadata

Metadata

Assignees

No one assigned

    Labels

    type-bugAn unexpected behavior, bug, or errorAn unexpected behavior, bug, or errortype-securityA security issueA security issue

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      Morty Proxy This is a proxified and sanitized view of the page, visit original site.