Description
Emmett is a framework designed to simplify your development process. Prior to 1.3.11, the cookies property in mmett_core.http.wrappers.Request does not handle CookieError exceptions when parsing malformed Cookie headers. This allows unauthenticated attackers to trigger HTTP 500 errors and cause denial of service. This vulnerability is fixed in 1.3.11.
Published: 2026-02-10
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Immediately
AI Analysis

Impact

This vulnerability manifests as an unhandled CookieError exception when the Emmett framework parses a malformed Cookie header. The resulting 500 Internal Server Error is returned to the client, continuously exhausting server resources and effectively denying service. The flaw is due to improper exception handling in the request wrapper, which is classified as CWE-248 and CWE-307.

Affected Systems

The issued product is Emmett framework core, with all installations running a version older than 1.3.11 affected. The issue is not tied to any authenticated context, meaning any external user can exploit it by sending a crafted HTTP request containing invalid cookies.

Risk and Exploitability

With a CVSS score of 7.5, the exploit has high severity. The EPSS score indicates that active exploitation is expected to be low, and it is not currently listed in the CISA KEV catalog. The attack vector inferred from the description is remote, as the vulnerability is triggered by external HTTP traffic that submits malformed cookies. Since no authentication or privileged access is required, the exposure is broad.

Generated by OpenCVE AI on April 17, 2026 at 20:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Emmett framework to version 1.3.11 or later to apply the vendor‑provided fix.
  • If an immediate upgrade is not possible, modify the request handling code to catch and properly process CookieError exceptions, returning a safe error response instead of a 500 status.
  • Additionally, implement input validation or filtering on Cookie headers to reject malformed values, and consider rate limiting or temporary blocking of IPs that repeatedly trigger 500 errors to mitigate denial‑of‑service attacks.

Generated by OpenCVE AI on April 17, 2026 at 20:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x6cr-mq53-cc76 Emmett-Core: Unhandled CookieError Exception Causing Denial of Service
History

Thu, 12 Feb 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Emmett-framework
Emmett-framework core
Vendors & Products Emmett-framework
Emmett-framework core

Wed, 11 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
Description Emmett is a framework designed to simplify your development process. Prior to 1.3.11, the cookies property in mmett_core.http.wrappers.Request does not handle CookieError exceptions when parsing malformed Cookie headers. This allows unauthenticated attackers to trigger HTTP 500 errors and cause denial of service. This vulnerability is fixed in 1.3.11.
Title Emmett has an Unhandled CookieError Exception Causing Denial of Service
Weaknesses CWE-248
CWE-307
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Emmett-framework Core
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-11T15:33:08.561Z

Reserved: 2026-02-03T01:02:46.714Z

Link: CVE-2026-25577

cve-icon Vulnrichment

Updated: 2026-02-11T15:32:48.921Z

cve-icon NVD

Status : Deferred

Published: 2026-02-10T18:16:37.290

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-25577

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T21:00:12Z

Weaknesses