The regex http.cookiejar.LOOSE_HTTP_DATE_RE
is vulnerable to regular
expression denial of service (“REDoS”). LOOSE_HTTP_DATE_RE.match()
is
called when using http.cookiejar.CookieJar
to parse Set-Cookie
headers returned by a HTTP server. Processing a response from a malicious
HTTP server can lead to extreme CPU usage and execution will be blocked
for a long time.