CVE-2024-7592

Advisory lineage Upstream: 0 Downstream: 35
Modified
Published: 19 Aug 2024, 19:06
Last modified:03 Nov 2025, 22:32

Vulnerability Summary

Overall Risk (default)
medium
40/100
CVSS Score
7.5 HIGH
v3.1 (cve.org)
EPSS Score
0.88% LOW
1% probability +0.09%
KEV
Not listed
Ransomware
No reports
Public exploits
1 found
Dark Web
Not detected

Timeline

19 Aug 2024, 19:06
Published
Vulnerability first disclosed
03 Nov 2025, 22:32
Last Modified
Vulnerability information updated

Description

There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.

CVSS Metrics

  • v3.1HIGHScore: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 0.88% Percentile: 76%

Techniques & Countermeasures

  • CWE-400Uncontrolled Resource Consumption

    The product does not properly control the allocation and maintenance of a limited resource.

  • CWE-1333Inefficient Regular Expression Complexity

    The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

Affected Systems

  • python software foundationcpython

    < 3.8.20 | ≥ 3.9.0, < 3.9.20 | ≥ 3.10.0, < 3.10.15 | ≥ 3.11.0, < 3.11.10 | ≥ 3.12.0, < 3.12.6 | ≥ 3.13.0a1, < 3.13.0rc2

  • pythonpython

    < 3.8.20 | ≥ 3.9.0, < 3.9.20 | ≥ 3.10.0, < 3.10.15 | ≥ 3.11.0, < 3.11.10 | ≥ 3.12.0, < 3.12.6 | 3.13.0:alpha0 | 3.13.0:alpha1 | 3.13.0:alpha2 | 3.13.0:alpha3 | 3.13.0:alpha4 | 3.13.0:alpha5 | 3.13.0:alpha6 | 3.13.0:beta1 | 3.13.0:beta2 | 3.13.0:beta3 | 3.13.0:beta4 | 3.13.0:rc1

References (12)