VYPR
Get started
← All advisories
High severity7.5NVD Advisory· Published Feb 10, 2026· Updated Apr 15, 2026

CVE-2026-25577

CVE-2026-25577

Description

Emmett is a framework designed to simplify your development process. Prior to 1.3.11, the cookies property in mmett_core.http.wrappers.Request does not handle CookieError exceptions when parsing malformed Cookie headers. This allows unauthenticated attackers to trigger HTTP 500 errors and cause denial of service. This vulnerability is fixed in 1.3.11.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
emmett-corePyPI
< 1.3.111.3.11

Affected products

1

Patches

2
9557ea23a27c

Catch Request cookies parsing errors

https://github.com/emmett-framework/coreGiovanni BarillariFeb 9, 2026via ghsa
commit
1 file changed · +4 1
  • emmett_core/http/wrappers/__init__.py+4 1 modified
    @@ -61,7 +61,10 @@ def accept_language(self) -> LanguageAccept:
     def cookies(self) -> SimpleCookie:
         cookies: SimpleCookie = SimpleCookie()
         for cookie in self.headers.get("cookie", "").split(";"):
-            cookies.load(cookie)
+            try:
+                cookies.load(cookie)
+            except Exception:
+                continue
         return cookies
 
     @property
c126757133e1

Catch Request cookies parsing errors

https://github.com/emmett-framework/coreGiovanni BarillariFeb 9, 2026via ghsa
commit
2 files changed · +5 1
  • emmett_core/http/wrappers/__init__.py+4 1 modified
    @@ -62,7 +62,10 @@ def accept_language(self) -> LanguageAccept:
     def cookies(self) -> SimpleCookie:
         cookies: SimpleCookie = SimpleCookie()
         for cookie in self.headers.get("cookie", "").split(";"):
-            cookies.load(cookie)
+            try:
+                cookies.load(cookie)
+            except Exception:
+                continue
         return cookies
 
     @property
  • pyproject.toml+1 0 modified
    @@ -107,6 +107,7 @@ extend-ignore = [
     'N818', # leave to us exceptions naming
     'S101', # assert is fine
     'S110', # pass on exceptions is fine
+    'S112',
     'UP031',
     'UP038',
 ]

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.