Tornado is vulnerable to DoS due to too many multipart parts

🗓️ 12 Mar 2026 14:19:52Reported by GitHub Advisory DatabaseType

Tornado before 6.5.5 is vulnerable to DoS from large multipart bodies; 6.5.5 adds a 100-part limit.

Reporter	Title	Published	Views	Family All 206
IBM Security Bulletins	Security Bulletin: IBM Maximo Application Suite - Monitor Component uses tornado-6.5.3-cp39-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl which is vulnerable to CVE-2026-31958	29 May 202608:42	–	ibm
ATTACKERKB	CVE-2026-31958	11 Mar 202619:27	–	attackerkb
Tenable Nessus	Amazon Linux 2023 : python3-tornado (ALAS2023-2026-1502)	1 Apr 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : python3.13-tornado (ALAS2023-2026-1528)	1 Apr 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2 : python3-tornado, --advisory ALAS2-2026-3213 (ALAS-2026-3213)	1 Apr 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2 : python-tornado, --advisory ALAS2-2026-3214 (ALAS-2026-3214)	1 Apr 202600:00	–	nessus
Tenable Nessus	AlmaLinux 10 : python-tornado (ALSA-2026:13641)	6 May 202600:00	–	nessus
Tenable Nessus	AlmaLinux 9 : python-tornado (ALSA-2026:13670)	6 May 202600:00	–	nessus
Tenable Nessus	AlmaLinux 8 : pcs (ALSA-2026:8093)	16 Apr 202600:00	–	nessus
Tenable Nessus	Debian dla-4520 : python-tornado-doc - security update	1 Apr 202600:00	–	nessus

Vulners

Node

tornado tornadoRange≤6.5.4pip

Source	Link
github	www.github.com/tornadoweb/tornado/security/advisories/GHSA-qjxf-f2mg-c6mc
nvd	www.nvd.nist.gov/vuln/detail/CVE-2026-31958
github	www.github.com/tornadoweb/tornado/commit/119a195e290c43ad2d63a2cf012c29d43d6ed839
github	www.github.com/tornadoweb/tornado/releases/tag/v6.5.5
lists	www.lists.debian.org/debian-lts-announce/2026/04/msg00000.html
github	www.github.com/advisories/GHSA-qjxf-f2mg-c6mc

06 Apr 2026 19:41Current

5.7Medium risk

Vulners AI Score5.7

CVSS 3.17.5

CVSS 48.7

EPSS0.00028

SSVC