Search for packages
| purl | pkg:deb/debian/python-tornado@6.2.0-3%2Bdeb12u2 |
| Next non-vulnerable version | 6.2.0-3+deb12u4 |
| Latest non-vulnerable version | 6.5.5-1 |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-27x3-ch78-8ueh
Aliases: CVE-2025-67725 |
tornado: Tornado Quadratic DoS via Repeated Header Coalescing |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-be89-uuxa-fyb5
Aliases: CVE-2026-31958 GHSA-qjxf-f2mg-c6mc |
Tornado is vulnerable to DoS due to too many multipart parts In versions of Tornado prior to 6.5.5, the only limit on the number of parts in `multipart/form-data` is the `max_body_size` setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. Tornado 6.5.5 introduces new limits on the size and complexity of multipart bodies, including a default limit of 100 parts per request. These limits are configurable if needed; see `tornado.httputil.ParseMultipartConfig`. It is also now possible to disable `multipart/form-data` parsing entirely if it is not required for the application. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-g13r-ansu-27av
Aliases: CVE-2025-67724 |
tornado: Tornado Header Injection and XSS via reason argument |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-nq24-395d-wuar
Aliases: CVE-2026-35536 GHSA-fqwm-6jpj-5wxc |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-y1z8-z2f1-mqg7
Aliases: CVE-2025-67726 |
tornado: Tornado Quadratic DoS via Crafted Multipart Parameters |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-27x3-ch78-8ueh | tornado: Tornado Quadratic DoS via Repeated Header Coalescing |
CVE-2025-67725
|
| VCID-3y8v-vsd8-ubba | Tornado has an HTTP cookie parsing DoS vulnerability The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. See also CVE-2024-7592 for a similar vulnerability in cpython. |
CVE-2024-52804
GHSA-8w49-h785-mj3c |
| VCID-62bx-a5uf-j3b4 | Tornado vulnerable to excessive logging caused by malformed multipart form data ### Summary When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous. ### Affected versions All versions of Tornado prior to 6.5 are affected. The vulnerable parser is enabled by default. ### Solution Upgrade to Tornado version 6.5. In the meantime, risk can be mitigated by blocking `Content-Type: multipart/form-data` in a proxy. |
CVE-2025-47287
GHSA-7cx3-6m66-7c5m |
| VCID-6knn-nt2y-1uem | Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL. |
CVE-2023-28370
GHSA-hj3f-6gcp-jg8j PYSEC-2023-75 |
| VCID-be89-uuxa-fyb5 | Tornado is vulnerable to DoS due to too many multipart parts In versions of Tornado prior to 6.5.5, the only limit on the number of parts in `multipart/form-data` is the `max_body_size` setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. Tornado 6.5.5 introduces new limits on the size and complexity of multipart bodies, including a default limit of 100 parts per request. These limits are configurable if needed; see `tornado.httputil.ParseMultipartConfig`. It is also now possible to disable `multipart/form-data` parsing entirely if it is not required for the application. |
CVE-2026-31958
GHSA-qjxf-f2mg-c6mc |
| VCID-g13r-ansu-27av | tornado: Tornado Header Injection and XSS via reason argument |
CVE-2025-67724
|
| VCID-nq24-395d-wuar |
CVE-2026-35536
GHSA-fqwm-6jpj-5wxc |
|
| VCID-y1z8-z2f1-mqg7 | tornado: Tornado Quadratic DoS via Crafted Multipart Parameters |
CVE-2025-67726
|