Python Library Tornado < 6.5.6 Multiple Vulnerabilities

The version of the Tornado Python library installed on the remote host is prior to 6.5.6. It is, therefore, affected by multiple vulnerabilities: - When SimpleAsyncHTTPClient follows a 3xx redirect, it shallow-copies the original HTTPRequest, rewrites the URL, decrements maxredirects, and removes...

ROOT-APP-PYPI-CVE-2025-47287 CVE-2025-47287 in rootio-tornado - Patched by Root

Root has patched CVE-2025-47287 in the rootio-tornado package for Root:PyPI. Multiple fixed versions available...

ROOT-APP-PYPI-CVE-2026-35536 CVE-2026-35536 in rootio-tornado - Patched by Root

Root has patched CVE-2026-35536 in the rootio-tornado package for Root:PyPI. Multiple fixed versions available...

ROOT-APP-PYPI-CVE-2024-52804 CVE-2024-52804 in rootio-tornado - Patched by Root

Root has patched CVE-2024-52804 in the rootio-tornado package for Root:PyPI. Multiple fixed versions available...

GHSA-PW6J-QG29-8W7F Tornado: CurlAsyncHTTPClient leaks per-request credentials on handle reuse

CurlAsyncHTTPClient leaks per-request credentials on handle reuse Summary CurlAsyncHTTPClient pools and reuses pycurl handles across requests but does not reset them between requests, and several per-request options are applied with no clearing branch. As a result, sensitive state set by one...

Tornado: Authorization header forwarded across cross-origin redirects in SimpleAsyncHTTPClient

Summary When SimpleAsyncHTTPClient follows a 3xx redirect, it shallow-copies the original HTTPRequest, rewrites the URL, decrements maxredirects, and removes only the Host header. It does not clear Authorization, authusername, authpassword, or authmode when the redirect target changes origin. As ...

GHSA-MGF9-4VPG-HJ56 tornado AsyncHTTPClient accumulates decompressed chunks without size limit (gzip bomb)

Tornado's gzip decompression routines work in limited-size chunks, but have no overall limit for the total size of decompressed chunks that they will accumulate There has always been a limit for the total compressed size. This allows a malicious server to consume effectively unlimited amounts of...

tornado AsyncHTTPClient accumulates decompressed chunks without size limit (gzip bomb)

Tornado's gzip decompression routines work in limited-size chunks, but have no overall limit for the total size of decompressed chunks that they will accumulate There has always been a limit for the total compressed size. This allows a malicious server to consume effectively unlimited amounts of...

python311-tornado6-6.5.7-1.1 on GA media (moderate)

python311-tornado6-6.5.7-1.1 on GA media Announcement ID: openSUSE-SU-2026:11027-1 Rating: moderate Cross-References: CVE-2026-49853 CVE-2026-49854 CVE-2026-49855 Affected Products: openSUSE Tumbleweed An update that solves 3 vulnerabilities can now be installed. Description: These are all securi...

PT-2026-49118

Name of the Vulnerable Software and Affected Versions Tornado versions prior to 6.5.6 Description When SimpleAsyncHTTPClient follows a 3xx redirect, it shallow-copies the original HTTPRequest and removes only the Host header. It fails to clear the Authorization header, auth username, auth passwor...

GHSA-CX3H-4QPV-8HC9 Tornado has out-of-bounds memory access via C extension

Summary Tornado's optional native extension tornado.speedups implements websocketmask without validating that the mask argument is exactly four bytes long. The C function reads four bytes from mask unconditionally, even when Python passes a shorter byte string. This can read beyond the provided...

Tornado has out-of-bounds memory access via C extension

Summary Tornado's optional native extension tornado.speedups implements websocketmask without validating that the mask argument is exactly four bytes long. The C function reads four bytes from mask unconditionally, even when Python passes a shorter byte string. This can read beyond the provided...

openSUSE 16 Security Update : salt (openSUSE-SU-2026:20918-1)

The remote openSUSE 16 host has packages installed that are affected by a vulnerability as referenced in the openSUSE- SU-2026:20918-1 advisory. Security fixes: - CVE-2026-31958: python-tornado: parsing large multipart bodies with many parts can cause a denial of service bsc1259554 Tenable has...

RHSA-2026:24342 Red Hat Security Advisory: python-tornado security update

Bulletin has no description...

OPENSUSE-SU-2026:20918-1 Security update for salt

This update for salt fixes the following issues: Security fixes: - CVE-2026-31958: python-tornado: parsing large multipart bodies with many parts can cause a denial of service bsc1259554 Other changes in salt: - Use non vendored tornado with Python 3.11 bsc1257583, bsc1259700 - Harden Tornado fro...

tornado: Tornado: Cookie attribute injection due to improper handling of cookie arguments

A flaw was found in Tornado. A remote attacker could exploit this vulnerability by injecting specially crafted characters into the domain, path, and samesite arguments when setting cookies. This could lead to cookie attribute injection, potentially allowing for information disclosure or...

tornado-python: Tornado: Denial of Service via large multipart bodies

A flaw was found in tornado-python. A remote attacker can exploit this vulnerability by sending a specially crafted, very large multipart body with numerous parts. Because the parsing of these large bodies occurs synchronously on the main thread, it can consume excessive resources, leading to a...

Moderate: Red Hat Security Advisory: python-tornado security update

An update for python-tornado is now available for Red Hat Enterprise Linux 7 Extended Lifecycle Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is...

RHEL 7 : python-tornado (RHSA-2026:24342)

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:24342 advisory. Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level...

ROOT-APP-PYPI-CVE-2026-31958 CVE-2026-31958 in rootio-tornado - Patched by Root

Root has patched CVE-2026-31958 in the rootio-tornado package for Root:PyPI. Multiple fixed versions available...