Search for packages
| purl | pkg:deb/debian/python-tornado@6.4.2-3 |
| Next non-vulnerable version | 6.4.2-3+deb13u2 |
| Latest non-vulnerable version | 6.5.5-1 |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-27x3-ch78-8ueh
Aliases: CVE-2025-67725 |
tornado: Tornado Quadratic DoS via Repeated Header Coalescing |
Affected by 0 other vulnerabilities. |
|
VCID-be89-uuxa-fyb5
Aliases: CVE-2026-31958 GHSA-qjxf-f2mg-c6mc |
Tornado is vulnerable to DoS due to too many multipart parts In versions of Tornado prior to 6.5.5, the only limit on the number of parts in `multipart/form-data` is the `max_body_size` setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. Tornado 6.5.5 introduces new limits on the size and complexity of multipart bodies, including a default limit of 100 parts per request. These limits are configurable if needed; see `tornado.httputil.ParseMultipartConfig`. It is also now possible to disable `multipart/form-data` parsing entirely if it is not required for the application. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-g13r-ansu-27av
Aliases: CVE-2025-67724 |
tornado: Tornado Header Injection and XSS via reason argument |
Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-nq24-395d-wuar
Aliases: CVE-2026-35536 GHSA-fqwm-6jpj-5wxc |
Affected by 0 other vulnerabilities. |
|
|
VCID-y1z8-z2f1-mqg7
Aliases: CVE-2025-67726 |
tornado: Tornado Quadratic DoS via Crafted Multipart Parameters |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-16T10:13:59.248029+00:00 | Debian Importer | Affected by | VCID-27x3-ch78-8ueh | https://security-tracker.debian.org/tracker/data/json | 38.4.0 |
| 2026-04-16T09:54:56.886002+00:00 | Debian Importer | Affected by | VCID-y1z8-z2f1-mqg7 | https://security-tracker.debian.org/tracker/data/json | 38.4.0 |
| 2026-04-16T09:02:45.175986+00:00 | Debian Importer | Affected by | VCID-nq24-395d-wuar | https://security-tracker.debian.org/tracker/data/json | 38.4.0 |
| 2026-04-16T08:43:48.722172+00:00 | Debian Importer | Affected by | VCID-be89-uuxa-fyb5 | https://security-tracker.debian.org/tracker/data/json | 38.4.0 |
| 2026-04-16T08:38:23.768615+00:00 | Debian Importer | Affected by | VCID-g13r-ansu-27av | https://security-tracker.debian.org/tracker/data/json | 38.4.0 |
| 2026-04-13T06:52:50.653062+00:00 | Debian Importer | Affected by | VCID-27x3-ch78-8ueh | https://security-tracker.debian.org/tracker/data/json | 38.3.0 |
| 2026-04-13T06:38:08.477720+00:00 | Debian Importer | Affected by | VCID-y1z8-z2f1-mqg7 | https://security-tracker.debian.org/tracker/data/json | 38.3.0 |
| 2026-04-11T18:03:52.557438+00:00 | Debian Importer | Affected by | VCID-nq24-395d-wuar | https://security-tracker.debian.org/tracker/data/json | 38.3.0 |
| 2026-04-11T17:51:55.909983+00:00 | Debian Importer | Affected by | VCID-be89-uuxa-fyb5 | https://security-tracker.debian.org/tracker/data/json | 38.3.0 |
| 2026-04-11T17:48:33.416048+00:00 | Debian Importer | Affected by | VCID-g13r-ansu-27av | https://security-tracker.debian.org/tracker/data/json | 38.3.0 |
| 2026-04-08T18:34:31.684898+00:00 | Debian Importer | Affected by | VCID-27x3-ch78-8ueh | https://security-tracker.debian.org/tracker/data/json | 38.1.0 |
| 2026-04-08T18:24:42.329484+00:00 | Debian Importer | Affected by | VCID-y1z8-z2f1-mqg7 | https://security-tracker.debian.org/tracker/data/json | 38.1.0 |
| 2026-04-07T06:07:12.661583+00:00 | Debian Importer | Affected by | VCID-nq24-395d-wuar | https://security-tracker.debian.org/tracker/data/json | 38.1.0 |
| 2026-04-04T16:21:18.317481+00:00 | Debian Importer | Affected by | VCID-be89-uuxa-fyb5 | https://security-tracker.debian.org/tracker/data/json | 38.1.0 |
| 2026-04-04T15:40:33.949142+00:00 | Debian Importer | Affected by | VCID-g13r-ansu-27av | https://security-tracker.debian.org/tracker/data/json | 38.1.0 |