VulnerableCode Package Details - pkg:pypi/tornado@6.4.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-62bx-a5uf-j3b4 Aliases: CVE-2025-47287 GHSA-7cx3-6m66-7c5m	Tornado vulnerable to excessive logging caused by malformed multipart form data ### Summary When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous. ### Affected versions All versions of Tornado prior to 6.5 are affected. The vulnerable parser is enabled by default. ### Solution Upgrade to Tornado version 6.5. In the meantime, risk can be mitigated by blocking `Content-Type: multipart/form-data` in a proxy.	6.5 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-be89-uuxa-fyb5 Aliases: CVE-2026-31958 GHSA-qjxf-f2mg-c6mc	Tornado is vulnerable to DoS due to too many multipart parts In versions of Tornado prior to 6.5.5, the only limit on the number of parts in `multipart/form-data` is the `max_body_size` setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. Tornado 6.5.5 introduces new limits on the size and complexity of multipart bodies, including a default limit of 100 parts per request. These limits are configurable if needed; see `tornado.httputil.ParseMultipartConfig`. It is also now possible to disable `multipart/form-data` parsing entirely if it is not required for the application.	6.5.5 Affected by 0 other vulnerabilities.
VCID-jbwv-ayru-8fgm Aliases: GHSA-78cv-mqj4-43f7	Tornado has incomplete validation of cookie attributes Values passed to the `domain`, `path`, and `samesite` arguments of `RequestHandler.set_cookie` were not completely validated in versions of Tornado prior to 6.5.5. In particular, semicolons would be allowed, which could be used to inject attacker-controlled values for other cookie attributes.	6.5.5 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-62bx-a5uf-j3b4
Aliases:
CVE-2025-47287
GHSA-7cx3-6m66-7c5m

Tornado vulnerable to excessive logging caused by malformed multipart form data ### Summary When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous. ### Affected versions All versions of Tornado prior to 6.5 are affected. The vulnerable parser is enabled by default. ### Solution Upgrade to Tornado version 6.5. In the meantime, risk can be mitigated by blocking `Content-Type: multipart/form-data` in a proxy.

6.5
Affected by 2 other vulnerabilities.

VCID-be89-uuxa-fyb5
Aliases:
CVE-2026-31958
GHSA-qjxf-f2mg-c6mc

Tornado is vulnerable to DoS due to too many multipart parts In versions of Tornado prior to 6.5.5, the only limit on the number of parts in `multipart/form-data` is the `max_body_size` setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. Tornado 6.5.5 introduces new limits on the size and complexity of multipart bodies, including a default limit of 100 parts per request. These limits are configurable if needed; see `tornado.httputil.ParseMultipartConfig`. It is also now possible to disable `multipart/form-data` parsing entirely if it is not required for the application.

6.5.5
Affected by 0 other vulnerabilities.

VCID-jbwv-ayru-8fgm
Aliases:
GHSA-78cv-mqj4-43f7

Tornado has incomplete validation of cookie attributes Values passed to the `domain`, `path`, and `samesite` arguments of `RequestHandler.set_cookie` were not completely validated in versions of Tornado prior to 6.5.5. In particular, semicolons would be allowed, which could be used to inject attacker-controlled values for other cookie attributes.

6.5.5
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-3y8v-vsd8-ubba	Tornado has an HTTP cookie parsing DoS vulnerability The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. See also CVE-2024-7592 for a similar vulnerability in cpython.	CVE-2024-52804 GHSA-8w49-h785-mj3c

Vulnerability

Summary

Aliases

VCID-3y8v-vsd8-ubba

Tornado has an HTTP cookie parsing DoS vulnerability The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. See also CVE-2024-7592 for a similar vulnerability in cpython.

CVE-2024-52804
GHSA-8w49-h785-mj3c

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-13T14:31:01.659072+00:00	GitLab Importer	Affected by	VCID-be89-uuxa-fyb5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/tornado/CVE-2026-31958.yml	38.3.0
2026-04-12T02:00:35.204861+00:00	GitLab Importer	Affected by	VCID-jbwv-ayru-8fgm	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/tornado/GHSA-78cv-mqj4-43f7.yml	38.3.0
2026-04-12T00:48:40.415996+00:00	GitLab Importer	Affected by	VCID-62bx-a5uf-j3b4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/tornado/CVE-2025-47287.yml	38.3.0
2026-04-07T04:56:30.162608+00:00	GHSA Importer	Fixing	VCID-3y8v-vsd8-ubba	https://github.com/advisories/GHSA-8w49-h785-mj3c	38.1.0
2026-04-03T00:56:40.413137+00:00	GitLab Importer	Affected by	VCID-62bx-a5uf-j3b4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/tornado/CVE-2025-47287.yml	38.1.0
2026-04-02T12:40:27.280556+00:00	GitLab Importer	Fixing	VCID-3y8v-vsd8-ubba	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/tornado/CVE-2024-52804.yml	38.0.0
2026-04-01T12:51:15.010220+00:00	GithubOSV Importer	Fixing	VCID-3y8v-vsd8-ubba	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-8w49-h785-mj3c/GHSA-8w49-h785-mj3c.json	38.0.0