VulnerableCode Package Details - pkg:pypi/tornado@6.5b1

Search for packages

Vulnerability	Summary	Fixed by
VCID-62bx-a5uf-j3b4 Aliases: CVE-2025-47287 GHSA-7cx3-6m66-7c5m	Tornado vulnerable to excessive logging caused by malformed multipart form data ### Summary When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous. ### Affected versions All versions of Tornado prior to 6.5 are affected. The vulnerable parser is enabled by default. ### Solution Upgrade to Tornado version 6.5. In the meantime, risk can be mitigated by blocking `Content-Type: multipart/form-data` in a proxy.	6.5 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-be89-uuxa-fyb5 Aliases: CVE-2026-31958 GHSA-qjxf-f2mg-c6mc	Tornado is vulnerable to DoS due to too many multipart parts In versions of Tornado prior to 6.5.5, the only limit on the number of parts in `multipart/form-data` is the `max_body_size` setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. Tornado 6.5.5 introduces new limits on the size and complexity of multipart bodies, including a default limit of 100 parts per request. These limits are configurable if needed; see `tornado.httputil.ParseMultipartConfig`. It is also now possible to disable `multipart/form-data` parsing entirely if it is not required for the application.	6.5.5 Affected by 0 other vulnerabilities.
VCID-jbwv-ayru-8fgm Aliases: GHSA-78cv-mqj4-43f7	Tornado has incomplete validation of cookie attributes Values passed to the `domain`, `path`, and `samesite` arguments of `RequestHandler.set_cookie` were not completely validated in versions of Tornado prior to 6.5.5. In particular, semicolons would be allowed, which could be used to inject attacker-controlled values for other cookie attributes.	6.5.5 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-62bx-a5uf-j3b4
Aliases:
CVE-2025-47287
GHSA-7cx3-6m66-7c5m

Tornado vulnerable to excessive logging caused by malformed multipart form data ### Summary When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous. ### Affected versions All versions of Tornado prior to 6.5 are affected. The vulnerable parser is enabled by default. ### Solution Upgrade to Tornado version 6.5. In the meantime, risk can be mitigated by blocking `Content-Type: multipart/form-data` in a proxy.

6.5
Affected by 2 other vulnerabilities.

VCID-be89-uuxa-fyb5
Aliases:
CVE-2026-31958
GHSA-qjxf-f2mg-c6mc

Tornado is vulnerable to DoS due to too many multipart parts In versions of Tornado prior to 6.5.5, the only limit on the number of parts in `multipart/form-data` is the `max_body_size` setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. Tornado 6.5.5 introduces new limits on the size and complexity of multipart bodies, including a default limit of 100 parts per request. These limits are configurable if needed; see `tornado.httputil.ParseMultipartConfig`. It is also now possible to disable `multipart/form-data` parsing entirely if it is not required for the application.

6.5.5
Affected by 0 other vulnerabilities.

VCID-jbwv-ayru-8fgm
Aliases:
GHSA-78cv-mqj4-43f7

Tornado has incomplete validation of cookie attributes Values passed to the `domain`, `path`, and `samesite` arguments of `RequestHandler.set_cookie` were not completely validated in versions of Tornado prior to 6.5.5. In particular, semicolons would be allowed, which could be used to inject attacker-controlled values for other cookie attributes.

6.5.5
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-17T00:40:04.068859+00:00	GitLab Importer	Affected by	VCID-be89-uuxa-fyb5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/tornado/CVE-2026-31958.yml	38.4.0
2026-04-17T00:35:20.460766+00:00	GitLab Importer	Affected by	VCID-jbwv-ayru-8fgm	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/tornado/GHSA-78cv-mqj4-43f7.yml	38.4.0
2026-04-16T23:29:00.745176+00:00	GitLab Importer	Affected by	VCID-62bx-a5uf-j3b4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/tornado/CVE-2025-47287.yml	38.4.0
2026-04-13T14:31:01.660901+00:00	GitLab Importer	Affected by	VCID-be89-uuxa-fyb5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/tornado/CVE-2026-31958.yml	38.3.0
2026-04-12T02:00:35.209585+00:00	GitLab Importer	Affected by	VCID-jbwv-ayru-8fgm	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/tornado/GHSA-78cv-mqj4-43f7.yml	38.3.0
2026-04-12T00:48:40.419674+00:00	GitLab Importer	Affected by	VCID-62bx-a5uf-j3b4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/tornado/CVE-2025-47287.yml	38.3.0
2026-04-03T00:56:40.417742+00:00	GitLab Importer	Affected by	VCID-62bx-a5uf-j3b4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/tornado/CVE-2025-47287.yml	38.1.0