Regular Expression Denial of Service in http.cookiejar


This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This database can be viewed online at the Open Source Vulnerability Database.

The regex http.cookiejar.LOOSE_HTTP_DATE_RE is vulnerable to regular expression denial of service (“REDoS”). LOOSE_HTTP_DATE_RE.match() is called when using http.cookiejar.CookieJar to parse Set-Cookie headers returned by a HTTP server. Processing a response from a malicious HTTP server can lead to extreme CPU usage and execution will be blocked for a long time.


  • Disclosure date: 2019-11-14 (Python issue bpo-38804 reported)

Fixed In

Python issue

Regular Expression Denial of Service in http.cookiejar.

  • Python issue: bpo-38804
  • Creation date: 2019-11-14
  • Reporter: Ben Caller


Timeline using the disclosure date 2019-11-14 as reference: