Search for packages
| purl | pkg:deb/debian/python-tornado@6.5.4-1?distro=trixie |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-be89-uuxa-fyb5
Aliases: CVE-2026-31958 GHSA-qjxf-f2mg-c6mc |
Tornado is vulnerable to DoS due to too many multipart parts In versions of Tornado prior to 6.5.5, the only limit on the number of parts in `multipart/form-data` is the `max_body_size` setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. Tornado 6.5.5 introduces new limits on the size and complexity of multipart bodies, including a default limit of 100 parts per request. These limits are configurable if needed; see `tornado.httputil.ParseMultipartConfig`. It is also now possible to disable `multipart/form-data` parsing entirely if it is not required for the application. |
Affected by 0 other vulnerabilities. |
|
VCID-nq24-395d-wuar
Aliases: CVE-2026-35536 GHSA-fqwm-6jpj-5wxc |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-1mw1-384y-huc7 | Uncontrolled Resource Consumption Algorithmic complexity vulnerability in the `ssl.match_hostname` function and unspecified versions of python-backports-ssl_match_hostname as used for older Python versions, allows remote attackers to cause a denial of service (CPU consumption) via multiple wildcard characters in the common name in a certificate. |
CVE-2013-2099
|
| VCID-27x3-ch78-8ueh | tornado: Tornado Quadratic DoS via Repeated Header Coalescing |
CVE-2025-67725
|
| VCID-3y8v-vsd8-ubba | Tornado has an HTTP cookie parsing DoS vulnerability The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. See also CVE-2024-7592 for a similar vulnerability in cpython. |
CVE-2024-52804
GHSA-8w49-h785-mj3c |
| VCID-62bx-a5uf-j3b4 | Tornado vulnerable to excessive logging caused by malformed multipart form data ### Summary When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous. ### Affected versions All versions of Tornado prior to 6.5 are affected. The vulnerable parser is enabled by default. ### Solution Upgrade to Tornado version 6.5. In the meantime, risk can be mitigated by blocking `Content-Type: multipart/form-data` in a proxy. |
CVE-2025-47287
GHSA-7cx3-6m66-7c5m |
| VCID-6knn-nt2y-1uem | Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL. |
CVE-2023-28370
GHSA-hj3f-6gcp-jg8j PYSEC-2023-75 |
| VCID-8kva-hv12-9ydc | Tornado before 3.2.2 sends arbitrary responses that contain a fixed CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests. |
CVE-2014-9720
GHSA-8vpw-mgpf-mpvv PYSEC-2020-213 |
| VCID-byy6-ku5b-ykew | CRLF injection vulnerability in the tornado.web.RequestHandler.set_header function in Tornado before 2.2.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input. |
CVE-2012-2374
GHSA-f7fv-v9rh-prvc PYSEC-2012-5 |
| VCID-g13r-ansu-27av | tornado: Tornado Header Injection and XSS via reason argument |
CVE-2025-67724
|
| VCID-y1z8-z2f1-mqg7 | tornado: Tornado Quadratic DoS via Crafted Multipart Parameters |
CVE-2025-67726
|