Vulnerability-Lookup

CVE-2026-25577 (GCVE-0-2026-25577)

Vulnerability from cvelistv5 – Published: 2026-02-10 17:01 – Updated: 2026-02-11 15:33

Title

Emmett has an Unhandled CookieError Exception Causing Denial of Service

Summary

Emmett is a framework designed to simplify your development process. Prior to 1.3.11, the cookies property in mmett_core.http.wrappers.Request does not handle CookieError exceptions when parsing malformed Cookie headers. This allows unauthenticated attackers to trigger HTTP 500 errors and cause denial of service. This vulnerability is fixed in 1.3.11.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-248 - Uncaught Exception
CWE-307 - Improper Restriction of Excessive Authentication Attempts

Assigner

GitHub_M

References

URL

Tags

	https://github.com/emmett-framework/core/security…	x_refsource_CONFIRM
	https://github.com/emmett-framework/core/commit/9…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	emmett-framework	core	Affected: < 1.3.11

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-25577",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-11T15:33:01.074738Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-11T15:33:08.561Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/emmett-framework/core/security/advisories/GHSA-x6cr-mq53-cc76"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "core",
          "vendor": "emmett-framework",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.3.11"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Emmett is a framework designed to simplify your development process. Prior to 1.3.11, the cookies property in mmett_core.http.wrappers.Request does not handle CookieError exceptions when parsing malformed Cookie headers. This allows unauthenticated attackers to trigger HTTP 500 errors and cause denial of service. This vulnerability is fixed in 1.3.11."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-248",
              "description": "CWE-248: Uncaught Exception",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-307",
              "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-10T17:01:26.622Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/emmett-framework/core/security/advisories/GHSA-x6cr-mq53-cc76",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/emmett-framework/core/security/advisories/GHSA-x6cr-mq53-cc76"
        },
        {
          "name": "https://github.com/emmett-framework/core/commit/9557ea23a27cbadf7774d8bca6bbe4b54fa8a3ec",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/emmett-framework/core/commit/9557ea23a27cbadf7774d8bca6bbe4b54fa8a3ec"
        }
      ],
      "source": {
        "advisory": "GHSA-x6cr-mq53-cc76",
        "discovery": "UNKNOWN"
      },
      "title": "Emmett has an Unhandled CookieError Exception Causing Denial of Service"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-25577",
    "datePublished": "2026-02-10T17:01:26.622Z",
    "dateReserved": "2026-02-03T01:02:46.714Z",
    "dateUpdated": "2026-02-11T15:33:08.561Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-25577\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-10T18:16:37.290\",\"lastModified\":\"2026-02-11T16:16:06.200\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Emmett is a framework designed to simplify your development process. Prior to 1.3.11, the cookies property in mmett_core.http.wrappers.Request does not handle CookieError exceptions when parsing malformed Cookie headers. This allows unauthenticated attackers to trigger HTTP 500 errors and cause denial of service. This vulnerability is fixed in 1.3.11.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-248\"},{\"lang\":\"en\",\"value\":\"CWE-307\"}]}],\"references\":[{\"url\":\"https://github.com/emmett-framework/core/commit/9557ea23a27cbadf7774d8bca6bbe4b54fa8a3ec\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/emmett-framework/core/security/advisories/GHSA-x6cr-mq53-cc76\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/emmett-framework/core/security/advisories/GHSA-x6cr-mq53-cc76\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-25577\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-11T15:33:01.074738Z\"}}}], \"references\": [{\"url\": \"https://github.com/emmett-framework/core/security/advisories/GHSA-x6cr-mq53-cc76\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-11T15:32:48.921Z\"}}], \"cna\": {\"title\": \"Emmett has an Unhandled CookieError Exception Causing Denial of Service\", \"source\": {\"advisory\": \"GHSA-x6cr-mq53-cc76\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"emmett-framework\", \"product\": \"core\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.3.11\"}]}], \"references\": [{\"url\": \"https://github.com/emmett-framework/core/security/advisories/GHSA-x6cr-mq53-cc76\", \"name\": \"https://github.com/emmett-framework/core/security/advisories/GHSA-x6cr-mq53-cc76\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/emmett-framework/core/commit/9557ea23a27cbadf7774d8bca6bbe4b54fa8a3ec\", \"name\": \"https://github.com/emmett-framework/core/commit/9557ea23a27cbadf7774d8bca6bbe4b54fa8a3ec\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Emmett is a framework designed to simplify your development process. Prior to 1.3.11, the cookies property in mmett_core.http.wrappers.Request does not handle CookieError exceptions when parsing malformed Cookie headers. This allows unauthenticated attackers to trigger HTTP 500 errors and cause denial of service. This vulnerability is fixed in 1.3.11.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-248\", \"description\": \"CWE-248: Uncaught Exception\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-307\", \"description\": \"CWE-307: Improper Restriction of Excessive Authentication Attempts\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-10T17:01:26.622Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-25577\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-11T15:33:08.561Z\", \"dateReserved\": \"2026-02-03T01:02:46.714Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-10T17:01:26.622Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-25577

Vulnerability from fkie_nvd - Published: 2026-02-10 18:16 - Updated: 2026-02-11 16:16

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/emmett-framework/core/commit/9557ea23a27cbadf7774d8bca6bbe4b54fa8a3ec
	security-advisories@github.com	https://github.com/emmett-framework/core/security/advisories/GHSA-x6cr-mq53-cc76
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/emmett-framework/core/security/advisories/GHSA-x6cr-mq53-cc76

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Emmett is a framework designed to simplify your development process. Prior to 1.3.11, the cookies property in mmett_core.http.wrappers.Request does not handle CookieError exceptions when parsing malformed Cookie headers. This allows unauthenticated attackers to trigger HTTP 500 errors and cause denial of service. This vulnerability is fixed in 1.3.11."
    }
  ],
  "id": "CVE-2026-25577",
  "lastModified": "2026-02-11T16:16:06.200",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-10T18:16:37.290",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/emmett-framework/core/commit/9557ea23a27cbadf7774d8bca6bbe4b54fa8a3ec"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/emmett-framework/core/security/advisories/GHSA-x6cr-mq53-cc76"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/emmett-framework/core/security/advisories/GHSA-x6cr-mq53-cc76"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-248"
        },
        {
          "lang": "en",
          "value": "CWE-307"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-X6CR-MQ53-CC76

Vulnerability from github – Published: 2026-02-10 14:33 – Updated: 2026-02-10 19:56

Summary

Emmett-Core: Unhandled CookieError Exception Causing Denial of Service

Details

Summary

The cookies property in emmett_core.http.wrappers.Request does not handle CookieError exceptions when parsing malformed Cookie headers. This allows unauthenticated attackers to trigger HTTP 500 errors and cause denial of service.

Details

Location: emmett_core/http/wrappers/__init__.py (line 64)

Vulnerable Code:

@cachedprop
def cookies(self) -> SimpleCookie:
    cookies: SimpleCookie = SimpleCookie()
    for cookie in self.headers.get("cookie", "").split(";"):
        cookies.load(cookie)  # No exception handling
    return cookies

PoC

Sending cookies containing special characters such as /(){} will result in insufficient error handling and a server error.

$ curl -w "\nTime: %{time_total}s\n" http://localhost:8000/ -H "Cookie:/security=test"
Internal error
Time: 0.024363s

After the same error occurs several times, the server cannot process it normally.

$ curl -w "\nTime: %{time_total}s\n" http://localhost:8000/ -H "Cookie:(security=test"
Internal error
Time: 60.069334s

$ curl -w "\nTime: %{time_total}s\n" http://localhost:8000/ -H "Cookie:security=test"
Internal error
Time: 60.074031s

This is server log.

[2026-02-03 08:23:40,541] ERROR in handlers: Application exception:
Traceback (most recent call last):
  File "/home/geonwoo/.local/lib/python3.13/site-packages/emmett/rsgi/handlers.py", line 70, in dynamic_handler
    http = await self.router.dispatch(request, response)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/geonwoo/.local/lib/python3.13/site-packages/emmett_core/routing/router.py", line 240, in dispatch
    return await match.dispatch(reqargs, response)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/geonwoo/.local/lib/python3.13/site-packages/emmett_core/routing/dispatchers.py", line 57, in dispatch
    await self._parallel_flow(self.flow_open)
  File "/home/geonwoo/.local/lib/python3.13/site-packages/emmett_core/routing/dispatchers.py", line 17, in _parallel_flow
    raise task.exception()
  File "/home/geonwoo/.local/lib/python3.13/site-packages/emmett_core/sessions.py", line 102, in open_request
    if self.cookie_name in self.current.request.cookies:
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/geonwoo/.local/lib/python3.13/site-packages/emmett_core/utils.py", line 37, in __get__
    obj.__dict__[self.__name__] = rv = self.fget(obj)
                                       ~~~~~~~~~^^^^^
  File "/home/geonwoo/.local/lib/python3.13/site-packages/emmett_core/http/wrappers/__init__.py", line 64, in cookies
    cookies.load(cookie)
    ~~~~~~~~~~~~^^^^^^^^
  File "/usr/lib/python3.13/http/cookies.py", line 516, in load
    self.__parse_string(rawdata)
    ~~~~~~~~~~~~~~~~~~~^^^^^^^^^
  File "/usr/lib/python3.13/http/cookies.py", line 580, in __parse_string
    self.__set(key, rval, cval)
    ~~~~~~~~~~^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.13/http/cookies.py", line 472, in __set
    M.set(key, real_value, coded_value)
    ~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.13/http/cookies.py", line 335, in set
    raise CookieError('Illegal key %r' % (key,))
http.cookies.CookieError: Illegal key '/security'

Impact

This vulnerability allows unauthenticated attackers to cause denial of service and performance degradation by sending malformed Cookie headers. After this vulnerability occurs, we expect it to be difficult to use the normal service.

patch

/emmett_core/http/wrappers/__init__.py

- from http.cookies import SimpleCookie 
+ from http.cookies import SimpleCookie, CookieError  # add CookieError
...
...
    @cachedprop
    def cookies(self) -> SimpleCookie:
        cookies: SimpleCookie = SimpleCookie()
        for cookie in self.headers.get("cookie", "").split(";"):
-           cookies.load(cookie)
+           try:
+               cookies.load(cookie)
+            except CookieError:
+                continue
        return cookies

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.3.10"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "emmett-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25577"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248",
      "CWE-703"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-10T14:33:15Z",
    "nvd_published_at": "2026-02-10T18:16:37Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nThe `cookies` property in `emmett_core.http.wrappers.Request` does not handle \n`CookieError` exceptions when parsing malformed Cookie headers. This allows \nunauthenticated attackers to trigger HTTP 500 errors and cause denial of service.\n\n\n### Details\n\n**Location:** `emmett_core/http/wrappers/__init__.py` (line 64)\n\n**Vulnerable Code:**\n```python\n@cachedprop\ndef cookies(self) -\u003e SimpleCookie:\n    cookies: SimpleCookie = SimpleCookie()\n    for cookie in self.headers.get(\"cookie\", \"\").split(\";\"):\n        cookies.load(cookie)  # No exception handling\n    return cookies\n```\n\n### PoC\nSending cookies containing special characters such as /(){} will result in insufficient error handling and a server error.\n```bash\n$ curl -w \"\\nTime: %{time_total}s\\n\" http://localhost:8000/ -H \"Cookie:/security=test\"\nInternal error\nTime: 0.024363s\n```\nAfter the same error occurs several times, the server cannot process it normally.\n```bash\n$ curl -w \"\\nTime: %{time_total}s\\n\" http://localhost:8000/ -H \"Cookie:(security=test\"\nInternal error\nTime: 60.069334s\n\n$ curl -w \"\\nTime: %{time_total}s\\n\" http://localhost:8000/ -H \"Cookie:security=test\"\nInternal error\nTime: 60.074031s\n```\n\nThis is server log.\n```bash\n[2026-02-03 08:23:40,541] ERROR in handlers: Application exception:\nTraceback (most recent call last):\n  File \"/home/geonwoo/.local/lib/python3.13/site-packages/emmett/rsgi/handlers.py\", line 70, in dynamic_handler\n    http = await self.router.dispatch(request, response)\n           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File \"/home/geonwoo/.local/lib/python3.13/site-packages/emmett_core/routing/router.py\", line 240, in dispatch\n    return await match.dispatch(reqargs, response)\n           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File \"/home/geonwoo/.local/lib/python3.13/site-packages/emmett_core/routing/dispatchers.py\", line 57, in dispatch\n    await self._parallel_flow(self.flow_open)\n  File \"/home/geonwoo/.local/lib/python3.13/site-packages/emmett_core/routing/dispatchers.py\", line 17, in _parallel_flow\n    raise task.exception()\n  File \"/home/geonwoo/.local/lib/python3.13/site-packages/emmett_core/sessions.py\", line 102, in open_request\n    if self.cookie_name in self.current.request.cookies:\n                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File \"/home/geonwoo/.local/lib/python3.13/site-packages/emmett_core/utils.py\", line 37, in __get__\n    obj.__dict__[self.__name__] = rv = self.fget(obj)\n                                       ~~~~~~~~~^^^^^\n  File \"/home/geonwoo/.local/lib/python3.13/site-packages/emmett_core/http/wrappers/__init__.py\", line 64, in cookies\n    cookies.load(cookie)\n    ~~~~~~~~~~~~^^^^^^^^\n  File \"/usr/lib/python3.13/http/cookies.py\", line 516, in load\n    self.__parse_string(rawdata)\n    ~~~~~~~~~~~~~~~~~~~^^^^^^^^^\n  File \"/usr/lib/python3.13/http/cookies.py\", line 580, in __parse_string\n    self.__set(key, rval, cval)\n    ~~~~~~~~~~^^^^^^^^^^^^^^^^^\n  File \"/usr/lib/python3.13/http/cookies.py\", line 472, in __set\n    M.set(key, real_value, coded_value)\n    ~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File \"/usr/lib/python3.13/http/cookies.py\", line 335, in set\n    raise CookieError(\u0027Illegal key %r\u0027 % (key,))\nhttp.cookies.CookieError: Illegal key \u0027/security\u0027\n```\n\n### Impact\nThis vulnerability allows unauthenticated attackers to cause denial of service \nand performance degradation by sending malformed Cookie headers. \nAfter this vulnerability occurs, we expect it to be difficult to use the normal service.\n\n\n\n### patch \n`/emmett_core/http/wrappers/__init__.py`\n```python\n- from http.cookies import SimpleCookie \n+ from http.cookies import SimpleCookie, CookieError  # add CookieError\n...\n...\n    @cachedprop\n    def cookies(self) -\u003e SimpleCookie:\n        cookies: SimpleCookie = SimpleCookie()\n        for cookie in self.headers.get(\"cookie\", \"\").split(\";\"):\n-           cookies.load(cookie)\n+           try:\n+               cookies.load(cookie)\n+            except CookieError:\n+                continue\n        return cookies\n```",
  "id": "GHSA-x6cr-mq53-cc76",
  "modified": "2026-02-10T19:56:59Z",
  "published": "2026-02-10T14:33:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/emmett-framework/core/security/advisories/GHSA-x6cr-mq53-cc76"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25577"
    },
    {
      "type": "WEB",
      "url": "https://github.com/emmett-framework/core/commit/9557ea23a27cbadf7774d8bca6bbe4b54fa8a3ec"
    },
    {
      "type": "WEB",
      "url": "https://github.com/emmett-framework/core/commit/c126757133e118119a280b58f3bb345b1c9a8a2a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/emmett-framework/core"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Emmett-Core: Unhandled CookieError Exception Causing Denial of Service"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-25577 (GCVE-0-2026-25577)

FKIE_CVE-2026-25577

GHSA-X6CR-MQ53-CC76

Summary

Details

PoC

Impact

patch

Tags

Sightings

Nomenclature