10 matches found
CVE-2023-28370
CVE-2023-28370 is an open redirect vulnerability in Tornado up to version 6.3.1 (and earlier) that can allow a remote unauthenticated user to redirect a victim to an arbitrary site via a crafted URL. Connected sources specify affected package Python-tornado and Tornado’s StaticFileHandler in cert...
CVE-2024-52804
The CVE-2024-52804 issue affects Tornado prior to 6.4.2, where the HTTP cookie parsing algorithm can exhibit quadratic complexity, causing high CPU usage in the event loop and potential DoS. The documented fix is upgrading to Tornado 6.4.2. Connected advisories also reference mitigation in packag...
CVE-2025-47287
Summary: CVE-2025-47287 affects Tornado (Python Tornado) where the multipart/form-data parser can log an excessive amount of messages and continue parsing, causing a DoS due to synchronous logging. All versions prior to 6.5.0 are affected; a patch is available in Tornado 6.5.0/6.50. Affects: Torn...
CVE-2014-9720
CVE-2014-9720 affects Tornado before 3.2.2. The issue allows remote attackers to exploit BREACH by receiving arbitrary HTTP responses that include a fixed CSRF token, potentially combined with HTTP compression. Root cause: responses may leak the CSRF token under compression. Impact described in s...
CVE-2026-31958
Tornado (Python) before 6.5.5 is vulnerable in its multipart/form-data parsing: the only limit is max_body_size (default 100MB) and parsing occurs synchronously on the main thread, enabling denial-of-service via very large multipart bodies with many parts. The issue is fixed in 6.5.5. CVSS metric...
CVE-2012-2374
CVE-2012-2374 is a Tornado CRLF injection vulnerability in the function tornado.web.RequestHandler.set_header, where input crafted by an attacker can inject arbitrary HTTP headers and enable HTTP response splitting. The issue affects Tornado versions prior to 2.2.1. The vulnerability enables an a...
CVE-2025-67726
Tornado (Python) vulnerability CVE-2025-67726 affects versions 6.5.2 and earlier, due to an inefficient _parseparam-based parsing of HTTP header parameters (e.g., Content-Disposition). The implementation repeatedly calls string.count() inside a nested loop while handling quoted semicolons, causin...
CVE-2025-67724
Summary (CVE-2025-67724 family: Tornado 6.5.x) Tornado, a Python web framework/networking library, is affected in versions 6.5.2 and earlier. The issue fixes unescaped reason phrases in HTTP headers (header injection risk) and in the default HTML error page (potential XSS) when data is passed to ...
CVE-2025-67725
Tornado (Python) vulnerable in versions
CVE-2026-35536
Tornado