VulnerableCode Package Details - pkg:pypi/tornado@6.5

Search for packages

Vulnerability	Summary	Fixed by
VCID-be89-uuxa-fyb5 Aliases: CVE-2026-31958 GHSA-qjxf-f2mg-c6mc	Tornado is vulnerable to DoS due to too many multipart parts In versions of Tornado prior to 6.5.5, the only limit on the number of parts in `multipart/form-data` is the `max_body_size` setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. Tornado 6.5.5 introduces new limits on the size and complexity of multipart bodies, including a default limit of 100 parts per request. These limits are configurable if needed; see `tornado.httputil.ParseMultipartConfig`. It is also now possible to disable `multipart/form-data` parsing entirely if it is not required for the application.	6.5.5 Affected by 0 other vulnerabilities.
VCID-jbwv-ayru-8fgm Aliases: GHSA-78cv-mqj4-43f7	Tornado has incomplete validation of cookie attributes Values passed to the `domain`, `path`, and `samesite` arguments of `RequestHandler.set_cookie` were not completely validated in versions of Tornado prior to 6.5.5. In particular, semicolons would be allowed, which could be used to inject attacker-controlled values for other cookie attributes.	6.5.5 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-be89-uuxa-fyb5
Aliases:
CVE-2026-31958
GHSA-qjxf-f2mg-c6mc

Tornado is vulnerable to DoS due to too many multipart parts In versions of Tornado prior to 6.5.5, the only limit on the number of parts in `multipart/form-data` is the `max_body_size` setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. Tornado 6.5.5 introduces new limits on the size and complexity of multipart bodies, including a default limit of 100 parts per request. These limits are configurable if needed; see `tornado.httputil.ParseMultipartConfig`. It is also now possible to disable `multipart/form-data` parsing entirely if it is not required for the application.

6.5.5
Affected by 0 other vulnerabilities.

VCID-jbwv-ayru-8fgm
Aliases:
GHSA-78cv-mqj4-43f7

Tornado has incomplete validation of cookie attributes Values passed to the `domain`, `path`, and `samesite` arguments of `RequestHandler.set_cookie` were not completely validated in versions of Tornado prior to 6.5.5. In particular, semicolons would be allowed, which could be used to inject attacker-controlled values for other cookie attributes.

6.5.5
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-62bx-a5uf-j3b4	Tornado vulnerable to excessive logging caused by malformed multipart form data ### Summary When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous. ### Affected versions All versions of Tornado prior to 6.5 are affected. The vulnerable parser is enabled by default. ### Solution Upgrade to Tornado version 6.5. In the meantime, risk can be mitigated by blocking `Content-Type: multipart/form-data` in a proxy.	CVE-2025-47287 GHSA-7cx3-6m66-7c5m

Vulnerability

Summary

Aliases

VCID-62bx-a5uf-j3b4

Tornado vulnerable to excessive logging caused by malformed multipart form data ### Summary When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous. ### Affected versions All versions of Tornado prior to 6.5 are affected. The vulnerable parser is enabled by default. ### Solution Upgrade to Tornado version 6.5. In the meantime, risk can be mitigated by blocking `Content-Type: multipart/form-data` in a proxy.

CVE-2025-47287
GHSA-7cx3-6m66-7c5m

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-17T00:40:04.072084+00:00	GitLab Importer	Affected by	VCID-be89-uuxa-fyb5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/tornado/CVE-2026-31958.yml	38.4.0
2026-04-17T00:35:20.463955+00:00	GitLab Importer	Affected by	VCID-jbwv-ayru-8fgm	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/tornado/GHSA-78cv-mqj4-43f7.yml	38.4.0
2026-04-16T23:29:00.749025+00:00	GitLab Importer	Fixing	VCID-62bx-a5uf-j3b4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/tornado/CVE-2025-47287.yml	38.4.0
2026-04-13T14:31:01.662635+00:00	GitLab Importer	Affected by	VCID-be89-uuxa-fyb5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/tornado/CVE-2026-31958.yml	38.3.0
2026-04-12T02:00:35.214376+00:00	GitLab Importer	Affected by	VCID-jbwv-ayru-8fgm	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/tornado/GHSA-78cv-mqj4-43f7.yml	38.3.0
2026-04-12T00:48:40.423431+00:00	GitLab Importer	Fixing	VCID-62bx-a5uf-j3b4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/tornado/CVE-2025-47287.yml	38.3.0
2026-04-07T04:57:48.948858+00:00	GHSA Importer	Fixing	VCID-62bx-a5uf-j3b4	https://github.com/advisories/GHSA-7cx3-6m66-7c5m	38.1.0
2026-04-03T00:56:40.421083+00:00	GitLab Importer	Fixing	VCID-62bx-a5uf-j3b4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/tornado/CVE-2025-47287.yml	38.1.0
2026-04-02T12:41:25.309734+00:00	GitLab Importer	Fixing	VCID-62bx-a5uf-j3b4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/tornado/CVE-2025-47287.yml	38.0.0
2026-04-01T12:57:02.735689+00:00	GithubOSV Importer	Fixing	VCID-62bx-a5uf-j3b4	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-7cx3-6m66-7c5m/GHSA-7cx3-6m66-7c5m.json	38.0.0