Tornadoweb Tornado vulnerabilities

CVE-2026-35536 [MEDIUM] CWE-159 CVE-2026-35536: In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesi In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters.

CVE-2026-31958 [HIGH] CWE-400 CVE-2026-31958: Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very

CVE-2025-67725 [HIGH] CWE-400 CVE-2025-67725: Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, a single maliciously crafted HTTP request can block the server's event loop for an extended period, caused by the HTTPHeaders.add method. The function accumulates values using string concatenation when the same header name is repeated, causing a Denial o

CVE-2025-67726 [HIGH] CWE-400 CVE-2025-67726: Tornado is a Python web framework and asynchronous networking library. Versions 6.5.2 and below use Tornado is a Python web framework and asynchronous networking library. Versions 6.5.2 and below use an inefficient algorithm when parsing parameters for HTTP header values, potentially causing a DoS. The _parseparam function in httputil.py is used to parse specific HTTP header values, such as those in multipart/form-data and repeatedly calls string.cou

CVE-2025-67724 [MEDIUM] CWE-79 CVE-2025-67724: Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, the supplied reason phrase is used unescaped in HTTP headers (where it could be used for header injection) or in HTML in the default error page (where it could be used for XSS) and can be exploited by passing untrusted or malicious data into the reason

CVE-2025-47287 [HIGH] CWE-770 CVE-2025-47287: Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/fo Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fa

CVE-2024-52804 [HIGH] CWE-400 CVE-2024-52804: Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsin Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of othe

CVE-2023-28370 [MEDIUM] CWE-601 CVE-2023-28370: Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated at Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL.

CVE-2014-9720 [MEDIUM] CWE-203 CVE-2014-9720: Tornado before 3.2.2 sends arbitrary responses that contain a fixed CSRF token and may be sent with Tornado before 3.2.2 sends arbitrary responses that contain a fixed CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests.

CVE-2012-2374 [MEDIUM] CWE-20 CVE-2012-2374: CRLF injection vulnerability in the tornado.web.RequestHandler.set_header function in Tornado before CRLF injection vulnerability in the tornado.web.RequestHandler.set_header function in Tornado before 2.2.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input.