VulnerableCode Package Details - pkg:pypi/tornado@6.5.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-be89-uuxa-fyb5 Aliases: CVE-2026-31958 GHSA-qjxf-f2mg-c6mc	Tornado is vulnerable to DoS due to too many multipart parts In versions of Tornado prior to 6.5.5, the only limit on the number of parts in `multipart/form-data` is the `max_body_size` setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. Tornado 6.5.5 introduces new limits on the size and complexity of multipart bodies, including a default limit of 100 parts per request. These limits are configurable if needed; see `tornado.httputil.ParseMultipartConfig`. It is also now possible to disable `multipart/form-data` parsing entirely if it is not required for the application.	6.5.5 Affected by 0 other vulnerabilities.
VCID-jbwv-ayru-8fgm Aliases: GHSA-78cv-mqj4-43f7	Tornado has incomplete validation of cookie attributes Values passed to the `domain`, `path`, and `samesite` arguments of `RequestHandler.set_cookie` were not completely validated in versions of Tornado prior to 6.5.5. In particular, semicolons would be allowed, which could be used to inject attacker-controlled values for other cookie attributes.	6.5.5 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-be89-uuxa-fyb5
Aliases:
CVE-2026-31958
GHSA-qjxf-f2mg-c6mc

Tornado is vulnerable to DoS due to too many multipart parts In versions of Tornado prior to 6.5.5, the only limit on the number of parts in `multipart/form-data` is the `max_body_size` setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. Tornado 6.5.5 introduces new limits on the size and complexity of multipart bodies, including a default limit of 100 parts per request. These limits are configurable if needed; see `tornado.httputil.ParseMultipartConfig`. It is also now possible to disable `multipart/form-data` parsing entirely if it is not required for the application.

6.5.5
Affected by 0 other vulnerabilities.

VCID-jbwv-ayru-8fgm
Aliases:
GHSA-78cv-mqj4-43f7

Tornado has incomplete validation of cookie attributes Values passed to the `domain`, `path`, and `samesite` arguments of `RequestHandler.set_cookie` were not completely validated in versions of Tornado prior to 6.5.5. In particular, semicolons would be allowed, which could be used to inject attacker-controlled values for other cookie attributes.

6.5.5
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-17T00:40:04.078548+00:00	GitLab Importer	Affected by	VCID-be89-uuxa-fyb5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/tornado/CVE-2026-31958.yml	38.4.0
2026-04-17T00:35:20.470405+00:00	GitLab Importer	Affected by	VCID-jbwv-ayru-8fgm	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/tornado/GHSA-78cv-mqj4-43f7.yml	38.4.0
2026-04-13T14:31:01.666515+00:00	GitLab Importer	Affected by	VCID-be89-uuxa-fyb5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/tornado/CVE-2026-31958.yml	38.3.0
2026-04-12T02:00:35.225780+00:00	GitLab Importer	Affected by	VCID-jbwv-ayru-8fgm	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/tornado/GHSA-78cv-mqj4-43f7.yml	38.3.0