tornado
PyPI10 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting tornadopage 1 of 1
- CVE-2012-2374NONECVSS 0.0EG 0.0✓ Fixed in 2.2.12012-05-23
vulnerable: 0.2 ... 2.2 (10 versions)
CRLF injection vulnerability in the tornado.web.RequestHandler.set_header function in Tornado before 2.2.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input.
- CVE-2014-9720MEDIUMCVSS 6.5EG 6.5✓ Fixed in 3.2.22020-01-24
vulnerable: 0.2 ... v1.0.0 (36 versions)
Tornado before 3.2.2 sends arbitrary responses that contain a fixed CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted re…
- CVE-2023-28370MEDIUMCVSS 6.1EG 6.1✓ Fixed in 6.3.22023-05-25
vulnerable: 0.2 ... 6.3b1 (68 versions)
Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL.
- CVE-2024-52804HIGHCVSS 7.5EG 7.5✓ Fixed in 6.4.22024-11-22
vulnerable: 0.2 ... 6.4b1 (73 versions)
Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing mal…
- CVE-2025-47287HIGHCVSS 7.5EG 7.5✓ Fixed in 6.52025-05-15
vulnerable: 0.2 ... 6.5b1 (75 versions)
Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote a…
- CVE-2026-31958HIGHCVSS 7.5EG 7.5✓ Fixed in 6.5.52026-03-12
vulnerable: 0.2 ... 6.5b1 (80 versions)
Tornado is vulnerable to DoS due to too many multipart parts In versions of Tornado prior to 6.5.5, the only limit on the number of parts in `multipart/form-data` is the `max_body_size` setting (default 100MB). Since parsing occurs synchr…
- CVE-2026-35536HIGHCVSS 7.2EG 7.2✓ Fixed in 6.5.52026-04-03
vulnerable: 0.2 ... 6.5b1 (80 versions)
In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters.
- CVE-2026-49853HIGHCVSS 7.7EG 7.7✓ Fixed in 6.5.62026-06-15
vulnerable: 0.2 ... 6.5b1 (81 versions)
Tornado: Authorization header forwarded across cross-origin redirects in SimpleAsyncHTTPClient ## Summary When SimpleAsyncHTTPClient follows a 3xx redirect, it shallow-copies the original HTTPRequest, rewrites the URL, decrements max_red…
- CVE-2026-49854LOWCVSS 3.7EG 3.7✓ Fixed in 6.5.62026-06-12
vulnerable: 0.2 ... 6.5b1 (81 versions)
Tornado has out-of-bounds memory access via C extension ### Summary Tornado's optional native extension `tornado.speedups` implements `websocket_mask` without validating that the `mask` argument is exactly four bytes long. The C function…
- CVE-2026-49855HIGHCVSS 7.5EG 7.5✓ Fixed in 6.5.62026-06-15
vulnerable: 0.2 ... 6.5b1 (81 versions)
tornado AsyncHTTPClient accumulates decompressed chunks without size limit (gzip bomb) Tornado's gzip decompression routines work in limited-size chunks, but have no overall limit for the total size of decompressed chunks that they will a…
Check whether tornado is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for tornado CVEs against the assets you own.
Start Free Scan →