CVE-2024-7592 | Quadratic complexity parsing cookies with backslashes

Exp

There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.

Published: 2024-08-19 Last update: 2026-06-17 Assigner: [email protected] Source: [email protected]

Conclusion & alert: CVE-2024-7592 is rated High Exploit Risk (74.8/100): CVSS High severity, with medium exploitation likelihood (EPSS 2.30%). Core evidence: 1 public exploit reference(s) are indexed (Exploit-DB). EPSS rose +1.42% over the last day, indicating growing attacker interest. Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Public exploit references (Exploit-DB) for CVE-2024-7592

EDB-ID Source Kind Published Link
nvd_ref exploit_tag Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2024-7592

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 0.88% 2.30% +1.42%
2 2026-05-24 0.80% 0.88% +0.09%
3 2026-04-29 0.80%

Full EPSS history (31 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2024-7592

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
7.5 3.1 HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
3.9 3.6 [email protected]
7.5 3.1 HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
3.9 3.6 134c704f-9b21-4f2e-91b3-4a467353bcc0

Weakness enumeration for CVE-2024-7592

OS Trackers for CVE-2024-7592

vendor priority summary link
alpine CVE-2024-7592: 2 source package rows (py3-tornado, python3); 8 state rows across 8 repos (3.17-main, 3.18-main, 3.19-main, 3.20-community, 3.20-main, 3.21-main, 3.22-main, edge-main); fixed 8, open 0. https://security.alpinelinux.org/vuln/CVE-2024-7592
debian not yet assigned CVE-2024-7592 not yet assigned priority: Debian including 4 source packages (pypy3, python3.11, python3.13, python3.9), 10 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 9, open 1. https://security-tracker.debian.org/tracker/CVE-2024-7592
gentoo high CVE-2024-7592: 1 GLSA(s) (202506-07), 2 atom(s) (dev-lang/pypy, dev-lang/python); latest impact high. https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2024-7592
redhat low https://access.redhat.com/security/cve/CVE-2024-7592
suse medium CVE-2024-7592 severity moderate: SUSE including 615 source package names (0.0.17-1.1:libpython3_11-1_0-3.11.10-150600.3.6.1, 0.0.17-1.1:libpython3_6m1_0-3.6.15-150300.10.72.1, …), 2574 product×package rows across 411 product lines (Container bci/bci-sle15-kernel-module-devel, Container bci/kiwi, … (411 product lines)): Fixed 2336, Known Affected 221, First Fixed 15, Will Not Fix 2. https://www.suse.com/security/cve/CVE-2024-7592/
ubuntu low CVE-2024-7592 low priority: Ubuntu including 11 source packages (python2.7, python3.10, …), 86 status rows across 10 suites (bionic, focal, jammy, noble, oracular, plucky, questing, trusty, upstream, xenial): DNE 55, needs-triage 13, released 12, not-affected 4, ignored 2. https://ubuntu.com/security/CVE-2024-7592

Affected software / configurations for CVE-2024-7592

Vendor Product Version Raw CPE
python python < 3.8.20 cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
python python >= 3.9.0, < 3.9.20 cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
python python >= 3.10.0, < 3.10.15 cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
python python >= 3.11.0, < 3.11.10 cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
python python >= 3.12.0, < 3.12.6 cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
python python 3.13.0 cpe:2.3:a:python:python:3.13.0:alpha0:*:*:*:*:*:*
python python 3.13.0 cpe:2.3:a:python:python:3.13.0:alpha1:*:*:*:*:*:*
python python 3.13.0 cpe:2.3:a:python:python:3.13.0:alpha2:*:*:*:*:*:*
python python 3.13.0 cpe:2.3:a:python:python:3.13.0:alpha3:*:*:*:*:*:*
python python 3.13.0 cpe:2.3:a:python:python:3.13.0:alpha4:*:*:*:*:*:*
python python 3.13.0 cpe:2.3:a:python:python:3.13.0:alpha5:*:*:*:*:*:*
python python 3.13.0 cpe:2.3:a:python:python:3.13.0:alpha6:*:*:*:*:*:*
python python 3.13.0 cpe:2.3:a:python:python:3.13.0:beta1:*:*:*:*:*:*
python python 3.13.0 cpe:2.3:a:python:python:3.13.0:beta2:*:*:*:*:*:*
python python 3.13.0 cpe:2.3:a:python:python:3.13.0:beta3:*:*:*:*:*:*
python python 3.13.0 cpe:2.3:a:python:python:3.13.0:beta4:*:*:*:*:*:*
python python 3.13.0 cpe:2.3:a:python:python:3.13.0:rc1:*:*:*:*:*:*

References for CVE-2024-7592

URL Tags
https://github.com/python/cpython/commit/391e5626e3ee5af267b97e37abc7475732e67621 Patch
https://github.com/python/cpython/commit/44e458357fca05ca0ae2658d62c8c595b048b5ef Patch
https://github.com/python/cpython/commit/a77ab24427a18bff817025adb03ca920dc3f1a06 Patch
https://github.com/python/cpython/commit/b2f11ca7667e4d57c71c1c88b255115f16042d9a Patch
https://github.com/python/cpython/commit/d4ac921a4b081f7f996a5d2b101684b67ba0ed7f Patch
https://github.com/python/cpython/commit/d662e2db2605515a767f88ad48096b8ac623c774 Patch
https://github.com/python/cpython/commit/dcc3eaef98cd94d6cb6cb0f44bd1c903d04f33b1 Patch
https://github.com/python/cpython/issues/123067 Exploit Issue Tracking Patch
https://github.com/python/cpython/pull/123075 Issue Tracking Patch
https://mail.python.org/archives/list/[email protected]/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/ Mailing List
https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html
https://security.netapp.com/advisory/ntap-20241018-0006/ Third Party Advisory
cvelogic Threat Intelligence