Search for packages
| purl | pkg:deb/debian/python-tornado@1.0.1-1%2Bdeb6u1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-172n-hbu2-6fd3
Aliases: CVE-2013-2099 |
Uncontrolled Resource Consumption Algorithmic complexity vulnerability in the `ssl.match_hostname` function and unspecified versions of python-backports-ssl_match_hostname as used for older Python versions, allows remote attackers to cause a denial of service (CPU consumption) via multiple wildcard characters in the common name in a certificate. |
Affected by 8 other vulnerabilities. |
|
VCID-27ab-kc1z-2fcv
Aliases: CVE-2024-52804 GHSA-8w49-h785-mj3c |
Tornado has an HTTP cookie parsing DoS vulnerability The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. See also CVE-2024-7592 for a similar vulnerability in cpython. |
Affected by 2 other vulnerabilities. |
|
VCID-3s9v-tggu-cfdr
Aliases: CVE-2025-67725 |
tornado: Tornado Quadratic DoS via Repeated Header Coalescing |
Affected by 2 other vulnerabilities. |
|
VCID-6uus-p5xs-huhh
Aliases: CVE-2025-67724 |
tornado: Tornado Header Injection and XSS via reason argument |
Affected by 2 other vulnerabilities. |
|
VCID-96r3-89by-dyer
Aliases: CVE-2026-31958 GHSA-qjxf-f2mg-c6mc PYSEC-2026-140 |
Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. This vulnerability is fixed in 6.5.5. |
Affected by 2 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-9vcz-3gme-b3bm
Aliases: CVE-2026-35536 GHSA-fqwm-6jpj-5wxc |
tornado: Tornado: Cookie attribute injection due to improper handling of cookie arguments |
Affected by 2 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-a4ry-gnvn-e3a1
Aliases: CVE-2023-28370 GHSA-hj3f-6gcp-jg8j PYSEC-2023-75 |
Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL. |
Affected by 2 other vulnerabilities. |
|
VCID-gbeg-1cjj-fufw
Aliases: CVE-2014-9720 GHSA-8vpw-mgpf-mpvv PYSEC-2020-213 |
Tornado before 3.2.2 sends arbitrary responses that contain a fixed CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests. |
Affected by 8 other vulnerabilities. |
|
VCID-hyxq-9kuv-k3dt
Aliases: CVE-2025-47287 GHSA-7cx3-6m66-7c5m |
Tornado vulnerable to excessive logging caused by malformed multipart form data When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous. |
Affected by 2 other vulnerabilities. |
|
VCID-q8ws-prs8-g7ef
Aliases: CVE-2025-67726 |
tornado: Tornado Quadratic DoS via Crafted Multipart Parameters |
Affected by 2 other vulnerabilities. |
|
VCID-sxra-vqmr-fybt
Aliases: CVE-2012-2374 GHSA-f7fv-v9rh-prvc PYSEC-2012-5 |
CRLF injection vulnerability in the tornado.web.RequestHandler.set_header function in Tornado before 2.2.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input. |
Affected by 10 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||