VulnerableCode Vulnerability Details - VCID-jf6j-dngc-6qdp

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-jf6j-dngc-6qdp

Essentials
Severities (5)
References (4)
Severity details (5)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-jf6j-dngc-6qdp
Aliases	GHSA-qppv-j76h-2rpx GMS-2023-1908
Summary	Tornado vulnerable to HTTP request smuggling via improper parsing of `Content-Length` fields and chunk lengths ## Summary Tornado interprets `-`, `+`, and `_` in chunk length and `Content-Length` values, which are not allowed by the HTTP RFCs. This can result in request smuggling when Tornado is deployed behind certain proxies that interpret those non-standard characters differently. This is known to apply to older versions of haproxy, although the current release is not affected. ## Details Tornado uses the `int` constructor to parse the values of `Content-Length` headers and chunk lengths in the following locations: ### `tornado/http1connection.py:445` ```python3 self._expected_content_remaining = int(headers["Content-Length"]) ``` ### `tornado/http1connection.py:621` ```python3 content_length = int(headers["Content-Length"]) # type: Optional[int] ``` ### `tornado/http1connection.py:671` ```python3 chunk_len = int(chunk_len_str.strip(), 16) ``` Because `int("0_0") == int("+0") == int("-0") == int("0")`, using the `int` constructor to parse and validate strings that should contain only ASCII digits is not a good strategy.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-444	Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

System	Score	Found at
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-qppv-j76h-2rpx
generic_textual	MODERATE	https://github.com/tornadoweb/tornado
generic_textual	MODERATE	https://github.com/tornadoweb/tornado/commit/b7a5dd29bb02950303ae96055082c12a1ea0a4fe
cvssv3.1_qr	MODERATE	https://github.com/tornadoweb/tornado/security/advisories/GHSA-qppv-j76h-2rpx
generic_textual	MODERATE	https://github.com/tornadoweb/tornado/security/advisories/GHSA-qppv-j76h-2rpx

Reference id	Reference type	URL
		https://github.com/tornadoweb/tornado
		https://github.com/tornadoweb/tornado/commit/b7a5dd29bb02950303ae96055082c12a1ea0a4fe
GHSA-qppv-j76h-2rpx		https://github.com/advisories/GHSA-qppv-j76h-2rpx
GHSA-qppv-j76h-2rpx		https://github.com/tornadoweb/tornado/security/advisories/GHSA-qppv-j76h-2rpx

No exploits are available.

No EPSS data available for this vulnerability.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:51:41.724258+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/tornado/GMS-2023-1908.yml	38.0.0