Search for packages
| purl | pkg:deb/debian/python-tornado@2.3-2 |
| Next non-vulnerable version | 6.2.0-3+deb12u4 |
| Latest non-vulnerable version | 6.5.5-1 |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1mw1-384y-huc7
Aliases: CVE-2013-2099 |
Uncontrolled Resource Consumption Algorithmic complexity vulnerability in the `ssl.match_hostname` function and unspecified versions of python-backports-ssl_match_hostname as used for older Python versions, allows remote attackers to cause a denial of service (CPU consumption) via multiple wildcard characters in the common name in a certificate. |
Affected by 8 other vulnerabilities. |
|
VCID-27x3-ch78-8ueh
Aliases: CVE-2025-67725 |
tornado: Tornado Quadratic DoS via Repeated Header Coalescing |
Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-3y8v-vsd8-ubba
Aliases: CVE-2024-52804 GHSA-8w49-h785-mj3c |
Tornado has an HTTP cookie parsing DoS vulnerability The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. See also CVE-2024-7592 for a similar vulnerability in cpython. |
Affected by 5 other vulnerabilities. |
|
VCID-62bx-a5uf-j3b4
Aliases: CVE-2025-47287 GHSA-7cx3-6m66-7c5m |
Tornado vulnerable to excessive logging caused by malformed multipart form data ### Summary When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous. ### Affected versions All versions of Tornado prior to 6.5 are affected. The vulnerable parser is enabled by default. ### Solution Upgrade to Tornado version 6.5. In the meantime, risk can be mitigated by blocking `Content-Type: multipart/form-data` in a proxy. |
Affected by 5 other vulnerabilities. |
|
VCID-6knn-nt2y-1uem
Aliases: CVE-2023-28370 GHSA-hj3f-6gcp-jg8j PYSEC-2023-75 |
Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL. |
Affected by 5 other vulnerabilities. |
|
VCID-8kva-hv12-9ydc
Aliases: CVE-2014-9720 GHSA-8vpw-mgpf-mpvv PYSEC-2020-213 |
Tornado before 3.2.2 sends arbitrary responses that contain a fixed CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests. |
Affected by 8 other vulnerabilities. |
|
VCID-be89-uuxa-fyb5
Aliases: CVE-2026-31958 GHSA-qjxf-f2mg-c6mc |
Tornado is vulnerable to DoS due to too many multipart parts In versions of Tornado prior to 6.5.5, the only limit on the number of parts in `multipart/form-data` is the `max_body_size` setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. Tornado 6.5.5 introduces new limits on the size and complexity of multipart bodies, including a default limit of 100 parts per request. These limits are configurable if needed; see `tornado.httputil.ParseMultipartConfig`. It is also now possible to disable `multipart/form-data` parsing entirely if it is not required for the application. |
Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-g13r-ansu-27av
Aliases: CVE-2025-67724 |
tornado: Tornado Header Injection and XSS via reason argument |
Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-nq24-395d-wuar
Aliases: CVE-2026-35536 GHSA-fqwm-6jpj-5wxc |
Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-y1z8-z2f1-mqg7
Aliases: CVE-2025-67726 |
tornado: Tornado Quadratic DoS via Crafted Multipart Parameters |
Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-byy6-ku5b-ykew | CRLF injection vulnerability in the tornado.web.RequestHandler.set_header function in Tornado before 2.2.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input. |
CVE-2012-2374
GHSA-f7fv-v9rh-prvc PYSEC-2012-5 |