Regular Expression Denial of Service in http.cookiejar

The regex http.cookiejar.LOOSE_HTTP_DATE_RE is vulnerable to regular expression denial of service (“REDoS”). LOOSE_HTTP_DATE_RE.match() is called when using http.cookiejar.CookieJar to parse Set-Cookie headers returned by a HTTP server. Processing a response from a malicious HTTP server can lead to extreme CPU usage and execution will be blocked for a long time.


  • Disclosure date: 2019-11-14 (Python issue bpo-38804 reported)

Fixed In

Python issue

Regular Expression Denial of Service in http.cookiejar.

  • Python issue: bpo-38804
  • Creation date: 2019-11-14
  • Reporter: Ben Caller


Timeline using the disclosure date 2019-11-14 as reference: