VulnerableCode Package Details - pkg:deb/debian/python-tornado@6.2.0-3%2Bdeb12u4

Search for packages

Vulnerability	Summary	Fixed by
VCID-96r3-89by-dyer Aliases: CVE-2026-31958 GHSA-qjxf-f2mg-c6mc PYSEC-2026-140	Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. This vulnerability is fixed in 6.5.5.	6.5.5-2 Affected by 0 other vulnerabilities.
VCID-9vcz-3gme-b3bm Aliases: CVE-2026-35536 GHSA-fqwm-6jpj-5wxc	tornado: Tornado: Cookie attribute injection due to improper handling of cookie arguments	6.5.5-2 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-96r3-89by-dyer
Aliases:
CVE-2026-31958
GHSA-qjxf-f2mg-c6mc
PYSEC-2026-140

Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. This vulnerability is fixed in 6.5.5.

6.5.5-2
Affected by 0 other vulnerabilities.

VCID-9vcz-3gme-b3bm
Aliases:
CVE-2026-35536
GHSA-fqwm-6jpj-5wxc

tornado: Tornado: Cookie attribute injection due to improper handling of cookie arguments

6.5.5-2
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-27ab-kc1z-2fcv	Tornado has an HTTP cookie parsing DoS vulnerability The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. See also CVE-2024-7592 for a similar vulnerability in cpython.	CVE-2024-52804 GHSA-8w49-h785-mj3c
VCID-3s9v-tggu-cfdr	tornado: Tornado Quadratic DoS via Repeated Header Coalescing	CVE-2025-67725
VCID-6uus-p5xs-huhh	tornado: Tornado Header Injection and XSS via reason argument	CVE-2025-67724
VCID-96r3-89by-dyer	Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. This vulnerability is fixed in 6.5.5.	CVE-2026-31958 GHSA-qjxf-f2mg-c6mc PYSEC-2026-140
VCID-9vcz-3gme-b3bm	tornado: Tornado: Cookie attribute injection due to improper handling of cookie arguments	CVE-2026-35536 GHSA-fqwm-6jpj-5wxc
VCID-a4ry-gnvn-e3a1	Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL.	CVE-2023-28370 GHSA-hj3f-6gcp-jg8j PYSEC-2023-75
VCID-hyxq-9kuv-k3dt	Tornado vulnerable to excessive logging caused by malformed multipart form data When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous.	CVE-2025-47287 GHSA-7cx3-6m66-7c5m
VCID-q8ws-prs8-g7ef	tornado: Tornado Quadratic DoS via Crafted Multipart Parameters	CVE-2025-67726

Vulnerability

Summary

Aliases

VCID-27ab-kc1z-2fcv

Tornado has an HTTP cookie parsing DoS vulnerability The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. See also CVE-2024-7592 for a similar vulnerability in cpython.

CVE-2024-52804
GHSA-8w49-h785-mj3c

VCID-3s9v-tggu-cfdr

tornado: Tornado Quadratic DoS via Repeated Header Coalescing

CVE-2025-67725

VCID-6uus-p5xs-huhh

tornado: Tornado Header Injection and XSS via reason argument

CVE-2025-67724

VCID-96r3-89by-dyer

CVE-2026-31958
GHSA-qjxf-f2mg-c6mc
PYSEC-2026-140

VCID-9vcz-3gme-b3bm

tornado: Tornado: Cookie attribute injection due to improper handling of cookie arguments

CVE-2026-35536
GHSA-fqwm-6jpj-5wxc

VCID-a4ry-gnvn-e3a1

Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL.

CVE-2023-28370
GHSA-hj3f-6gcp-jg8j
PYSEC-2023-75

VCID-hyxq-9kuv-k3dt

Tornado vulnerable to excessive logging caused by malformed multipart form data When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous.

CVE-2025-47287
GHSA-7cx3-6m66-7c5m

VCID-q8ws-prs8-g7ef

tornado: Tornado Quadratic DoS via Crafted Multipart Parameters

CVE-2025-67726

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T10:33:00.883402+00:00	Debian Oval Importer	Fixing	VCID-hyxq-9kuv-k3dt	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.6.0
2026-06-06T10:31:40.966077+00:00	Debian Oval Importer	Fixing	VCID-9vcz-3gme-b3bm	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.6.0
2026-06-06T10:01:57.125541+00:00	Debian Oval Importer	Fixing	VCID-96r3-89by-dyer	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.6.0
2026-06-06T08:11:23.397710+00:00	Debian Oval Importer	Fixing	VCID-6uus-p5xs-huhh	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.6.0
2026-06-06T08:01:31.561761+00:00	Debian Oval Importer	Fixing	VCID-a4ry-gnvn-e3a1	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.6.0
2026-06-06T06:36:28.594294+00:00	Debian Oval Importer	Fixing	VCID-q8ws-prs8-g7ef	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.6.0
2026-06-06T06:35:58.951675+00:00	Debian Oval Importer	Fixing	VCID-27ab-kc1z-2fcv	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.6.0
2026-06-06T05:20:42.800833+00:00	Debian Oval Importer	Fixing	VCID-3s9v-tggu-cfdr	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.6.0
2026-06-05T20:29:01.163455+00:00	Debian Importer	Affected by	VCID-9vcz-3gme-b3bm	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-06-05T19:25:04.257725+00:00	Debian Importer	Affected by	VCID-96r3-89by-dyer	https://security-tracker.debian.org/tracker/data/json	38.6.0