Debian Python-Tornado vulnerabilities

CVE-2026-35536 [HIGH] CVE-2026-35536: python-tornado - In Tornado before 6.5.5, cookie attribute injection could occur because the doma... In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters. Scope: local bookworm: open bullseye: resolved (fixed in 6.1.0-1+deb11u4) forky: resolved (fixed in 6.5.5-1) sid: resolved (fixed in 6.5.5-1) trixie: open

CVE-2026-31958 [HIGH] CVE-2026-31958: python-tornado - Tornado is a Python web framework and asynchronous networking library. In versio... Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large m

CVE-2025-47287 [HIGH] CVE-2025-47287: python-tornado - Tornado is a Python web framework and asynchronous networking library. When Torn... Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that

CVE-2025-67726 [HIGH] CVE-2025-67726: python-tornado - Tornado is a Python web framework and asynchronous networking library. Versions ... Tornado is a Python web framework and asynchronous networking library. Versions 6.5.2 and below use an inefficient algorithm when parsing parameters for HTTP header values, potentially causing a DoS. The _parseparam function in httputil.py is used to parse specific HTTP header values, such as those in multipart/form-data and repeatedly calls string.count() wi

CVE-2025-67725 [HIGH] CVE-2025-67725: python-tornado - Tornado is a Python web framework and asynchronous networking library. In versio... Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, a single maliciously crafted HTTP request can block the server's event loop for an extended period, caused by the HTTPHeaders.add method. The function accumulates values using string concatenation when the same header name is repeated, causing a Denial of Servi

CVE-2025-67724 [MEDIUM] CVE-2025-67724: python-tornado - Tornado is a Python web framework and asynchronous networking library. In versio... Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, the supplied reason phrase is used unescaped in HTTP headers (where it could be used for header injection) or in HTML in the default error page (where it could be used for XSS) and can be exploited by passing untrusted or malicious data into the reason argume

CVE-2024-52804 [HIGH] CVE-2024-52804: python-tornado - Tornado is a Python web framework and asynchronous networking library. The algor... Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other reques

CVE-2023-28370 [MEDIUM] CVE-2023-28370: python-tornado - Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remot... Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL. Scope: local bookworm: resolved (fixed in 6.2.0-3+deb12u1) bullseye: resolved (fixed in 6.1.0-1+deb11u1) forky: resolved (fixed in

CVE-2014-9720 [MEDIUM] CVE-2014-9720: python-tornado - Tornado before 3.2.2 sends arbitrary responses that contain a fixed CSRF token a... Tornado before 3.2.2 sends arbitrary responses that contain a fixed CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests. Scope: local bookworm: resolved (fixed in 3.2.2-1) bullseye: resolved (fixed in 3.2.2-1) forky: resolved (fixed in

CVE-2013-2099 [MEDIUM] CVE-2013-2099: bzr - Algorithmic complexity vulnerability in the ssl.match_hostname function in Pytho... Algorithmic complexity vulnerability in the ssl.match_hostname function in Python 3.2.x, 3.3.x, and earlier, and unspecified versions of python-backports-ssl_match_hostname as used for older Python versions, allows remote attackers to cause a denial of service (CPU consumption) via multiple wildcard characters in the common name in a certificate. Scope: local bookworm:

CVE-2012-2374 [MEDIUM] CVE-2012-2374: python-tornado - CRLF injection vulnerability in the tornado.web.RequestHandler.set_header functi... CRLF injection vulnerability in the tornado.web.RequestHandler.set_header function in Tornado before 2.2.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input. Scope: local bookworm: resolved (fixed in 2.1.0-3) bullseye: resolved (fixed in 2.1.0-3) forky: resolved (fixed in 2.1.0-3) sid: resol