Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/14898?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/14898?format=api", "purl": "pkg:pypi/tornado@2.4", "type": "pypi", "namespace": "", "name": "tornado", "version": "2.4", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "6.5.5", "latest_non_vulnerable_version": "6.5.5", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56250?format=api", "vulnerability_id": "VCID-27ab-kc1z-2fcv", "summary": "Tornado has an HTTP cookie parsing DoS vulnerability\nThe algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests.\n\nSee also CVE-2024-7592 for a similar vulnerability in cpython.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-52804.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-52804.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-52804", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0016", "scoring_system": "epss", "scoring_elements": "0.36754", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-52804" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52804", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52804" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/tornadoweb/tornado", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tornadoweb/tornado" }, { "reference_url": "https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-25T17:54:41Z/" } ], "url": "https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00000.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00000.html" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088112", "reference_id": "1088112", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088112" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328045", "reference_id": "2328045", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328045" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52804", "reference_id": "CVE-2024-52804", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52804" }, { "reference_url": "https://github.com/advisories/GHSA-7pwv-g7hj-39pr", "reference_id": "GHSA-7pwv-g7hj-39pr", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-25T17:54:41Z/" } ], "url": "https://github.com/advisories/GHSA-7pwv-g7hj-39pr" }, { "reference_url": "https://github.com/advisories/GHSA-8w49-h785-mj3c", "reference_id": "GHSA-8w49-h785-mj3c", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-8w49-h785-mj3c" }, { "reference_url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c", "reference_id": "GHSA-8w49-h785-mj3c", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-25T17:54:41Z/" } ], "url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:10590", "reference_id": "RHSA-2024:10590", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:10590" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:10836", "reference_id": "RHSA-2024:10836", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:10836" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:10843", "reference_id": "RHSA-2024:10843", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:10843" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:2470", "reference_id": "RHSA-2025:2470", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:2470" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:2471", "reference_id": "RHSA-2025:2471", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:2471" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:2550", "reference_id": "RHSA-2025:2550", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:2550" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:2872", "reference_id": "RHSA-2025:2872", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:2872" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:2955", "reference_id": "RHSA-2025:2955", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:2955" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:2956", "reference_id": "RHSA-2025:2956", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:2956" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:3108", "reference_id": "RHSA-2025:3108", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:3108" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:3109", "reference_id": "RHSA-2025:3109", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:3109" }, { "reference_url": "https://usn.ubuntu.com/7150-1/", "reference_id": "USN-7150-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7150-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/48586?format=api", "purl": "pkg:pypi/tornado@6.4.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-96r3-89by-dyer" }, { "vulnerability": "VCID-9vcz-3gme-b3bm" }, { "vulnerability": "VCID-hyxq-9kuv-k3dt" }, { "vulnerability": "VCID-npxk-vap1-7qem" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/tornado@6.4.2" } ], "aliases": [ "CVE-2024-52804", "GHSA-8w49-h785-mj3c" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-27ab-kc1z-2fcv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55258?format=api", "vulnerability_id": "VCID-293v-ye5g-3qh9", "summary": "Tornado has a CRLF injection in CurlAsyncHTTPClient headers\nTornado’s `curl_httpclient.CurlAsyncHTTPClient` class is vulnerable to CRLF (carriage return/line feed) injection in the request headers.", "references": [ { "reference_url": "https://github.com/tornadoweb/tornado", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tornadoweb/tornado" }, { "reference_url": "https://github.com/tornadoweb/tornado/commit/7786f09f84c9f3f2012c4cf3878417cb9f053669", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tornadoweb/tornado/commit/7786f09f84c9f3f2012c4cf3878417cb9f053669" }, { "reference_url": "https://github.com/advisories/GHSA-w235-7p84-xx57", "reference_id": "GHSA-w235-7p84-xx57", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w235-7p84-xx57" }, { "reference_url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-w235-7p84-xx57", "reference_id": "GHSA-w235-7p84-xx57", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-w235-7p84-xx57" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/48585?format=api", "purl": "pkg:pypi/tornado@6.4.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-27ab-kc1z-2fcv" }, { "vulnerability": "VCID-96r3-89by-dyer" }, { "vulnerability": "VCID-9vcz-3gme-b3bm" }, { "vulnerability": "VCID-hyxq-9kuv-k3dt" }, { "vulnerability": "VCID-npxk-vap1-7qem" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/tornado@6.4.1" } ], "aliases": [ "GHSA-w235-7p84-xx57" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-293v-ye5g-3qh9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45837?format=api", "vulnerability_id": "VCID-2jy5-24sv-9qhj", "summary": "Tornado vulnerable to HTTP request smuggling via improper parsing of `Content-Length` fields and chunk lengths\n## Summary\nTornado interprets `-`, `+`, and `_` in chunk length and `Content-Length` values, which are not allowed by the HTTP RFCs. This can result in request smuggling when Tornado is deployed behind certain proxies that interpret those non-standard characters differently. This is known to apply to older versions of haproxy, although the current release is not affected.\n\n## Details\nTornado uses the `int` constructor to parse the values of `Content-Length` headers and chunk lengths in the following locations:\n### `tornado/http1connection.py:445`\n```python3\n self._expected_content_remaining = int(headers[\"Content-Length\"])\n```\n### `tornado/http1connection.py:621`\n```python3\n content_length = int(headers[\"Content-Length\"]) # type: Optional[int]\n```\n### `tornado/http1connection.py:671`\n```python3\n chunk_len = int(chunk_len_str.strip(), 16)\n```\nBecause `int(\"0_0\") == int(\"+0\") == int(\"-0\") == int(\"0\")`, using the `int` constructor to parse and validate strings that should contain only ASCII digits is not a good strategy.", "references": [ { "reference_url": "https://github.com/tornadoweb/tornado", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tornadoweb/tornado" }, { "reference_url": "https://github.com/tornadoweb/tornado/commit/b7a5dd29bb02950303ae96055082c12a1ea0a4fe", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tornadoweb/tornado/commit/b7a5dd29bb02950303ae96055082c12a1ea0a4fe" }, { "reference_url": "https://github.com/advisories/GHSA-qppv-j76h-2rpx", "reference_id": "GHSA-qppv-j76h-2rpx", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-qppv-j76h-2rpx" }, { "reference_url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-qppv-j76h-2rpx", "reference_id": "GHSA-qppv-j76h-2rpx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-qppv-j76h-2rpx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/48582?format=api", "purl": "pkg:pypi/tornado@6.3.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-27ab-kc1z-2fcv" }, { "vulnerability": "VCID-293v-ye5g-3qh9" }, { "vulnerability": "VCID-96r3-89by-dyer" }, { "vulnerability": "VCID-9vcz-3gme-b3bm" }, { "vulnerability": "VCID-hyxq-9kuv-k3dt" }, { "vulnerability": "VCID-npxk-vap1-7qem" }, { "vulnerability": "VCID-vu4k-akst-wbhy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/tornado@6.3.3" } ], "aliases": [ "GHSA-qppv-j76h-2rpx", "GMS-2023-1908" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2jy5-24sv-9qhj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37232?format=api", "vulnerability_id": "VCID-96r3-89by-dyer", "summary": "Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. This vulnerability is fixed in 6.5.5.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-31958.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-31958.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31958", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.08453", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31958" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-31958", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-31958" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/tornadoweb/tornado", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tornadoweb/tornado" }, { "reference_url": "https://github.com/tornadoweb/tornado/commit/119a195e290c43ad2d63a2cf012c29d43d6ed839", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tornadoweb/tornado/commit/119a195e290c43ad2d63a2cf012c29d43d6ed839" }, { "reference_url": "https://github.com/tornadoweb/tornado/releases/tag/v6.5.5", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tornadoweb/tornado/releases/tag/v6.5.5" }, { "reference_url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-qjxf-f2mg-c6mc", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-12T19:55:43Z/" } ], "url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-qjxf-f2mg-c6mc" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2026/04/msg00000.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2026/04/msg00000.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31958", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31958" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130507", "reference_id": "1130507", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130507" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446765", "reference_id": "2446765", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446765" }, { "reference_url": "https://github.com/advisories/GHSA-qjxf-f2mg-c6mc", "reference_id": "GHSA-qjxf-f2mg-c6mc", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-qjxf-f2mg-c6mc" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:10184", "reference_id": "RHSA-2026:10184", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:10184" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:11454", "reference_id": "RHSA-2026:11454", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:11454" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:11493", "reference_id": "RHSA-2026:11493", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:11493" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:11494", "reference_id": "RHSA-2026:11494", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:11494" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:11495", "reference_id": "RHSA-2026:11495", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:11495" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:13641", "reference_id": "RHSA-2026:13641", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:13641" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:13670", "reference_id": "RHSA-2026:13670", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:13670" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:19034", "reference_id": "RHSA-2026:19034", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:19034" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:19189", "reference_id": "RHSA-2026:19189", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:19189" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:20572", "reference_id": "RHSA-2026:20572", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:20572" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:20573", "reference_id": "RHSA-2026:20573", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:20573" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:20577", "reference_id": "RHSA-2026:20577", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:20577" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:20810", "reference_id": "RHSA-2026:20810", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:20810" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:8093", "reference_id": "RHSA-2026:8093", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:8093" }, { "reference_url": "https://usn.ubuntu.com/8198-1/", "reference_id": "USN-8198-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8198-1/" }, { "reference_url": "https://usn.ubuntu.com/8198-2/", "reference_id": "USN-8198-2", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8198-2/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/48593?format=api", "purl": "pkg:pypi/tornado@6.5.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/tornado@6.5.5" } ], "aliases": [ "CVE-2026-31958", "GHSA-qjxf-f2mg-c6mc", "PYSEC-2026-140" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-96r3-89by-dyer" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/63659?format=api", "vulnerability_id": "VCID-9vcz-3gme-b3bm", "summary": "tornado: Tornado: Cookie attribute injection due to improper handling of cookie arguments", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-35536.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-35536.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35536", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04868", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35536" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-35536", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-35536" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/tornadoweb/tornado", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tornadoweb/tornado" }, { "reference_url": "https://github.com/tornadoweb/tornado/releases/tag/v6.5.5", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-03T13:12:08Z/" } ], "url": "https://github.com/tornadoweb/tornado/releases/tag/v6.5.5" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35536", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35536" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132367", "reference_id": "1132367", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132367" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454716", "reference_id": "2454716", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454716" }, { "reference_url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-78cv-mqj4-43f7", "reference_id": "GHSA-78cv-mqj4-43f7", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-03T13:12:08Z/" } ], "url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-78cv-mqj4-43f7" }, { "reference_url": "https://github.com/advisories/GHSA-fqwm-6jpj-5wxc", "reference_id": "GHSA-fqwm-6jpj-5wxc", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-fqwm-6jpj-5wxc" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:13641", "reference_id": "RHSA-2026:13641", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:13641" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:13670", "reference_id": "RHSA-2026:13670", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:13670" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:19034", "reference_id": "RHSA-2026:19034", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:19034" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:19189", "reference_id": "RHSA-2026:19189", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:19189" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:20572", "reference_id": "RHSA-2026:20572", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:20572" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:20573", "reference_id": "RHSA-2026:20573", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:20573" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:20577", "reference_id": "RHSA-2026:20577", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:20577" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:20810", "reference_id": "RHSA-2026:20810", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:20810" }, { "reference_url": "https://usn.ubuntu.com/8198-1/", "reference_id": "USN-8198-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8198-1/" }, { "reference_url": "https://usn.ubuntu.com/8198-2/", "reference_id": "USN-8198-2", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8198-2/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/48593?format=api", "purl": "pkg:pypi/tornado@6.5.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/tornado@6.5.5" } ], "aliases": [ "CVE-2026-35536", "GHSA-fqwm-6jpj-5wxc" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9vcz-3gme-b3bm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36449?format=api", "vulnerability_id": "VCID-a4ry-gnvn-e3a1", "summary": "Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28370.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28370.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-28370", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0043", "scoring_system": "epss", "scoring_elements": "0.62925", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-28370" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28370", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28370" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/tornado/PYSEC-2023-75.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tornado/PYSEC-2023-75.yaml" }, { "reference_url": "https://github.com/tornadoweb/tornado", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tornadoweb/tornado" }, { "reference_url": "https://github.com/tornadoweb/tornado/commit/32ad07c54e607839273b4e1819c347f5c8976b2f", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tornadoweb/tornado/commit/32ad07c54e607839273b4e1819c347f5c8976b2f" }, { "reference_url": "https://github.com/tornadoweb/tornado/releases/tag/v6.3.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-16T15:19:04Z/" } ], "url": "https://github.com/tornadoweb/tornado/releases/tag/v6.3.2" }, { "reference_url": "https://jvn.jp/en/jp/JVN45127776", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://jvn.jp/en/jp/JVN45127776" }, { "reference_url": "https://jvn.jp/en/jp/JVN45127776/", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-16T15:19:04Z/" } ], "url": "https://jvn.jp/en/jp/JVN45127776/" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00000.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00000.html" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036875", "reference_id": "1036875", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036875" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2210199", "reference_id": "2210199", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2210199" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28370", "reference_id": "CVE-2023-28370", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28370" }, { "reference_url": "https://github.com/advisories/GHSA-hj3f-6gcp-jg8j", "reference_id": "GHSA-hj3f-6gcp-jg8j", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-hj3f-6gcp-jg8j" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:6523", "reference_id": "RHSA-2023:6523", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:6523" }, { "reference_url": "https://usn.ubuntu.com/6159-1/", "reference_id": "USN-6159-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6159-1/" }, { "reference_url": "https://usn.ubuntu.com/7150-1/", "reference_id": "USN-7150-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7150-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/33807?format=api", "purl": "pkg:pypi/tornado@6.3.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-27ab-kc1z-2fcv" }, { "vulnerability": "VCID-293v-ye5g-3qh9" }, { "vulnerability": "VCID-2jy5-24sv-9qhj" }, { "vulnerability": "VCID-96r3-89by-dyer" }, { "vulnerability": "VCID-9vcz-3gme-b3bm" }, { "vulnerability": "VCID-hyxq-9kuv-k3dt" }, { "vulnerability": "VCID-npxk-vap1-7qem" }, { "vulnerability": "VCID-vu4k-akst-wbhy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/tornado@6.3.2" } ], "aliases": [ "CVE-2023-28370", "GHSA-hj3f-6gcp-jg8j", "PYSEC-2023-75" ], "risk_score": 3.4, "exploitability": "0.5", "weighted_severity": "6.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-a4ry-gnvn-e3a1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35494?format=api", "vulnerability_id": "VCID-gbeg-1cjj-fufw", "summary": "Tornado before 3.2.2 sends arbitrary responses that contain a fixed CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests.", "references": [ { "reference_url": "http://openwall.com/lists/oss-security/2015/05/19/4", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://openwall.com/lists/oss-security/2015/05/19/4" }, { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-9720.json", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-9720.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2014-9720", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00784", "scoring_system": "epss", "scoring_elements": "0.74157", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00784", "scoring_system": "epss", "scoring_elements": "0.74123", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2014-9720" }, { "reference_url": "https://bugzilla.novell.com/show_bug.cgi?id=930362", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://bugzilla.novell.com/show_bug.cgi?id=930362" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1222816", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1222816" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9720", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9720" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/tornado/PYSEC-2020-213.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tornado/PYSEC-2020-213.yaml" }, { "reference_url": "https://github.com/tornadoweb/tornado", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tornadoweb/tornado" }, { "reference_url": "https://github.com/tornadoweb/tornado/commit/1c36307463b1e8affae100bf9386948e6c1b2308", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tornadoweb/tornado/commit/1c36307463b1e8affae100bf9386948e6c1b2308" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2014-9720", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-9720" }, { "reference_url": "http://www.tornadoweb.org/en/stable/releases/v3.2.2.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.tornadoweb.org/en/stable/releases/v3.2.2.html" }, { "reference_url": "https://github.com/advisories/GHSA-8vpw-mgpf-mpvv", "reference_id": "GHSA-8vpw-mgpf-mpvv", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-8vpw-mgpf-mpvv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/14907?format=api", "purl": "pkg:pypi/tornado@3.2.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-27ab-kc1z-2fcv" }, { "vulnerability": "VCID-293v-ye5g-3qh9" }, { "vulnerability": "VCID-2jy5-24sv-9qhj" }, { "vulnerability": "VCID-96r3-89by-dyer" }, { "vulnerability": "VCID-9vcz-3gme-b3bm" }, { "vulnerability": "VCID-a4ry-gnvn-e3a1" }, { "vulnerability": "VCID-hyxq-9kuv-k3dt" }, { "vulnerability": "VCID-npxk-vap1-7qem" }, { "vulnerability": "VCID-vu4k-akst-wbhy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/tornado@3.2.2" } ], "aliases": [ "CVE-2014-9720", "GHSA-8vpw-mgpf-mpvv", "PYSEC-2020-213" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gbeg-1cjj-fufw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57307?format=api", "vulnerability_id": "VCID-hyxq-9kuv-k3dt", "summary": "Tornado vulnerable to excessive logging caused by malformed multipart form data\nWhen Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-47287.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-47287.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-47287", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01164", "scoring_system": "epss", "scoring_elements": "0.78983", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-47287" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-47287", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-47287" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/tornadoweb/tornado", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tornadoweb/tornado" }, { "reference_url": "https://github.com/tornadoweb/tornado/commit/b39b892bf78fe8fea01dd45199aa88307e7162f3", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-16T13:36:22Z/" } ], "url": "https://github.com/tornadoweb/tornado/commit/b39b892bf78fe8fea01dd45199aa88307e7162f3" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00038.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00038.html" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105886", "reference_id": "1105886", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105886" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2366703", "reference_id": "2366703", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2366703" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47287", "reference_id": "CVE-2025-47287", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47287" }, { "reference_url": "https://github.com/advisories/GHSA-7cx3-6m66-7c5m", "reference_id": "GHSA-7cx3-6m66-7c5m", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-7cx3-6m66-7c5m" }, { "reference_url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-7cx3-6m66-7c5m", "reference_id": "GHSA-7cx3-6m66-7c5m", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-16T13:36:22Z/" } ], "url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-7cx3-6m66-7c5m" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:8135", "reference_id": "RHSA-2025:8135", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:8135" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:8136", "reference_id": "RHSA-2025:8136", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:8136" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:8223", "reference_id": "RHSA-2025:8223", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:8223" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:8226", "reference_id": "RHSA-2025:8226", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:8226" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:8254", "reference_id": "RHSA-2025:8254", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:8254" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:8279", "reference_id": "RHSA-2025:8279", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:8279" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:8290", "reference_id": "RHSA-2025:8290", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:8290" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:8291", "reference_id": "RHSA-2025:8291", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:8291" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:8323", "reference_id": "RHSA-2025:8323", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:8323" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:8664", "reference_id": "RHSA-2025:8664", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:8664" }, { "reference_url": "https://usn.ubuntu.com/7547-1/", "reference_id": "USN-7547-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7547-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/48588?format=api", "purl": "pkg:pypi/tornado@6.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-96r3-89by-dyer" }, { "vulnerability": "VCID-9vcz-3gme-b3bm" }, { "vulnerability": "VCID-npxk-vap1-7qem" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/tornado@6.5" } ], "aliases": [ "CVE-2025-47287", "GHSA-7cx3-6m66-7c5m" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hyxq-9kuv-k3dt" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50872?format=api", "vulnerability_id": "VCID-npxk-vap1-7qem", "summary": "Tornado has incomplete validation of cookie attributes\nValues passed to the `domain`, `path`, and `samesite` arguments of `RequestHandler.set_cookie` were not completely validated in versions of Tornado prior to 6.5.5. In particular, semicolons would be allowed, which could be used to inject attacker-controlled values for other cookie attributes.", "references": [ { "reference_url": "https://github.com/tornadoweb/tornado", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tornadoweb/tornado" }, { "reference_url": "https://github.com/tornadoweb/tornado/commit/24a2d96ea115f663b223887deb0060f13974c104", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tornadoweb/tornado/commit/24a2d96ea115f663b223887deb0060f13974c104" }, { "reference_url": "https://github.com/tornadoweb/tornado/releases/tag/v6.5.5", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tornadoweb/tornado/releases/tag/v6.5.5" }, { "reference_url": "https://github.com/advisories/GHSA-78cv-mqj4-43f7", "reference_id": "GHSA-78cv-mqj4-43f7", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-78cv-mqj4-43f7" }, { "reference_url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-78cv-mqj4-43f7", "reference_id": "GHSA-78cv-mqj4-43f7", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-78cv-mqj4-43f7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/48593?format=api", "purl": "pkg:pypi/tornado@6.5.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/tornado@6.5.5" } ], "aliases": [ "GHSA-78cv-mqj4-43f7" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-npxk-vap1-7qem" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55250?format=api", "vulnerability_id": "VCID-vu4k-akst-wbhy", "summary": "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in tornado\nWhen Tornado receives a request with two `Transfer-Encoding: chunked` headers, it ignores them both. This enables request smuggling when Tornado is deployed behind a proxy server that emits such requests. [Pound](https://en.wikipedia.org/wiki/Pound_(networking)) does this.", "references": [ { "reference_url": "https://github.com/tornadoweb/tornado", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tornadoweb/tornado" }, { "reference_url": "https://github.com/tornadoweb/tornado/commit/d65f6e71a77f53a1ff0a0dc55704be13f04eb572", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tornadoweb/tornado/commit/d65f6e71a77f53a1ff0a0dc55704be13f04eb572" }, { "reference_url": "https://github.com/advisories/GHSA-753j-mpmx-qq6g", "reference_id": "GHSA-753j-mpmx-qq6g", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-753j-mpmx-qq6g" }, { "reference_url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-753j-mpmx-qq6g", "reference_id": "GHSA-753j-mpmx-qq6g", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-753j-mpmx-qq6g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/48585?format=api", "purl": "pkg:pypi/tornado@6.4.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-27ab-kc1z-2fcv" }, { "vulnerability": "VCID-96r3-89by-dyer" }, { "vulnerability": "VCID-9vcz-3gme-b3bm" }, { "vulnerability": "VCID-hyxq-9kuv-k3dt" }, { "vulnerability": "VCID-npxk-vap1-7qem" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/tornado@6.4.1" } ], "aliases": [ "GHSA-753j-mpmx-qq6g" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vu4k-akst-wbhy" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/tornado@2.4" }