Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:pypi/tornado@6.5.5
purl pkg:pypi/tornado@6.5.5
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (3)
Vulnerability Summary Aliases
VCID-be89-uuxa-fyb5 Tornado is vulnerable to DoS due to too many multipart parts In versions of Tornado prior to 6.5.5, the only limit on the number of parts in `multipart/form-data` is the `max_body_size` setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. Tornado 6.5.5 introduces new limits on the size and complexity of multipart bodies, including a default limit of 100 parts per request. These limits are configurable if needed; see `tornado.httputil.ParseMultipartConfig`. It is also now possible to disable `multipart/form-data` parsing entirely if it is not required for the application. CVE-2026-31958
GHSA-qjxf-f2mg-c6mc
VCID-jbwv-ayru-8fgm Tornado has incomplete validation of cookie attributes Values passed to the `domain`, `path`, and `samesite` arguments of `RequestHandler.set_cookie` were not completely validated in versions of Tornado prior to 6.5.5. In particular, semicolons would be allowed, which could be used to inject attacker-controlled values for other cookie attributes. GHSA-78cv-mqj4-43f7
VCID-nq24-395d-wuar CVE-2026-35536
GHSA-fqwm-6jpj-5wxc

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-17T00:40:04.088127+00:00 GitLab Importer Fixing VCID-be89-uuxa-fyb5 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/tornado/CVE-2026-31958.yml 38.4.0
2026-04-17T00:35:20.480433+00:00 GitLab Importer Fixing VCID-jbwv-ayru-8fgm https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/tornado/GHSA-78cv-mqj4-43f7.yml 38.4.0
2026-04-12T21:33:46.494021+00:00 GitLab Importer Fixing VCID-be89-uuxa-fyb5 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/tornado/CVE-2026-31958.yml 38.3.0
2026-04-11T12:36:59.000207+00:00 GitLab Importer Fixing VCID-jbwv-ayru-8fgm https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/tornado/GHSA-78cv-mqj4-43f7.yml 38.3.0
2026-04-07T14:17:23.394047+00:00 GithubOSV Importer Fixing VCID-be89-uuxa-fyb5 https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-qjxf-f2mg-c6mc/GHSA-qjxf-f2mg-c6mc.json 38.1.0
2026-04-06T06:54:20.039214+00:00 GithubOSV Importer Fixing VCID-nq24-395d-wuar https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-fqwm-6jpj-5wxc/GHSA-fqwm-6jpj-5wxc.json 38.1.0
2026-04-04T14:32:53.204760+00:00 GHSA Importer Fixing VCID-nq24-395d-wuar https://github.com/advisories/GHSA-fqwm-6jpj-5wxc 38.1.0
2026-04-02T17:01:03.627525+00:00 GHSA Importer Fixing VCID-be89-uuxa-fyb5 https://github.com/advisories/GHSA-qjxf-f2mg-c6mc 38.1.0
2026-04-01T16:08:31.421232+00:00 GHSA Importer Fixing VCID-jbwv-ayru-8fgm https://github.com/advisories/GHSA-78cv-mqj4-43f7 38.0.0
2026-04-01T12:53:30.551626+00:00 GithubOSV Importer Fixing VCID-be89-uuxa-fyb5 https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-qjxf-f2mg-c6mc/GHSA-qjxf-f2mg-c6mc.json 38.0.0
2026-04-01T12:53:27.564360+00:00 GithubOSV Importer Fixing VCID-jbwv-ayru-8fgm https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-78cv-mqj4-43f7/GHSA-78cv-mqj4-43f7.json 38.0.0