Lucene search
K
TornadowebTornado

10 matches found

CVE
CVE
added 2023/05/25 12:0 a.m.552 views

CVE-2023-28370

CVE-2023-28370 is an open redirect vulnerability in Tornado up to version 6.3.1 (and earlier) that can allow a remote unauthenticated user to redirect a victim to an arbitrary site via a crafted URL. Connected sources specify affected package Python-tornado and Tornado’s StaticFileHandler in cert...

6.1CVSS6.2AI score0.01132EPSS
CVE
CVE
added 2024/11/22 3:43 p.m.416 views

CVE-2024-52804

The CVE-2024-52804 issue affects Tornado prior to 6.4.2, where the HTTP cookie parsing algorithm can exhibit quadratic complexity, causing high CPU usage in the event loop and potential DoS. The documented fix is upgrading to Tornado 6.4.2. Connected advisories also reference mitigation in packag...

7.5CVSS7.3AI score0.01051EPSS
CVE
CVE
added 2025/05/15 9:17 p.m.406 views

CVE-2025-47287

Summary: CVE-2025-47287 affects Tornado (Python Tornado) where the multipart/form-data parser can log an excessive amount of messages and continue parsing, causing a DoS due to synchronous logging. All versions prior to 6.5.0 are affected; a patch is available in Tornado 6.5.0/6.50. Affects: Torn...

7.5CVSS7.1AI score0.00667EPSS
CVE
CVE
added 2020/01/24 5:3 p.m.108 views

CVE-2014-9720

CVE-2014-9720 affects Tornado before 3.2.2. The issue allows remote attackers to exploit BREACH by receiving arbitrary HTTP responses that include a fixed CSRF token, potentially combined with HTTP compression. Root cause: responses may leak the CSRF token under compression. Impact described in s...

6.5CVSS6.3AI score0.02489EPSS
CVE
CVE
added 2026/03/11 7:27 p.m.104 views

CVE-2026-31958

Tornado (Python) before 6.5.5 is vulnerable in its multipart/form-data parsing: the only limit is max_body_size (default 100MB) and parsing occurs synchronously on the main thread, enabling denial-of-service via very large multipart bodies with many parts. The issue is fixed in 6.5.5. CVSS metric...

8.7CVSS5.8AI score0.00375EPSS
CVE
CVE
added 2012/05/23 8:0 p.m.61 views

CVE-2012-2374

CVE-2012-2374 is a Tornado CRLF injection vulnerability in the function tornado.web.RequestHandler.set_header, where input crafted by an attacker can inject arbitrary HTTP headers and enable HTTP response splitting. The issue affects Tornado versions prior to 2.2.1. The vulnerability enables an a...

5CVSS6.8AI score0.01362EPSS
CVE
CVE
added 2025/12/12 6:13 a.m.47 views

CVE-2025-67726

Tornado (Python) vulnerability CVE-2025-67726 affects versions 6.5.2 and earlier, due to an inefficient _parseparam-based parsing of HTTP header parameters (e.g., Content-Disposition). The implementation repeatedly calls string.count() inside a nested loop while handling quoted semicolons, causin...

7.5CVSS6.4AI score0.00371EPSS
CVE
CVE
added 2025/12/12 5:36 a.m.39 views

CVE-2025-67724

Summary (CVE-2025-67724 family: Tornado 6.5.x) Tornado, a Python web framework/networking library, is affected in versions 6.5.2 and earlier. The issue fixes unescaped reason phrases in HTTP headers (header injection risk) and in the default HTML error page (potential XSS) when data is passed to ...

6.1CVSS6.2AI score0.00185EPSS
CVE
CVE
added 2025/12/12 5:49 a.m.37 views

CVE-2025-67725

Tornado (Python) vulnerable in versions

7.5CVSS6.3AI score0.00396EPSS
CVE
CVE
added 2026/04/03 2:25 a.m.28 views

CVE-2026-35536

Tornado

7.2CVSS5.9AI score0.00237EPSS