Security: tornadoweb/tornado
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
CurlAsyncHTTPClient leaks per-request credentials on handle reuseGHSA-pw6j-qg29-8w7f published
Jun 8, 2026 by bdarnellModerate -
Out-of-bounds memory access in C extensionGHSA-cx3h-4qpv-8hc9 published
May 27, 2026 by bdarnellModerate -
tornado AsyncHTTPClient accumulates decompressed chunks without size limit (gzip bomb)GHSA-mgf9-4vpg-hj56 published
May 27, 2026 by bdarnellHigh -
Authorization header forwarded across cross-origin redirects in SimpleAsyncHTTPClientGHSA-3x9g-8vmp-wqvf published
May 27, 2026 by bdarnellHigh -
Incomplete validation of cookie attributesGHSA-78cv-mqj4-43f7 published
Mar 10, 2026 by bdarnellModerate -
DoS due to too many multipart partsGHSA-qjxf-f2mg-c6mc published
Mar 10, 2026 by bdarnellHigh -
Quadratic DoS via Crafted Multipart ParametersGHSA-jhmp-mqwm-3gq8 published
Dec 11, 2025 by bdarnellHigh -
Quadratic DoS via Repeated Header CoalescingGHSA-c98p-7wgm-6p64 published
Dec 11, 2025 by bdarnellHigh -
Header injection and XSS via `reason` argumentGHSA-pr2v-jx2c-wg9f published
Dec 11, 2025 by bdarnellModerate -
Excessive logging caused by malformed multipart form dataGHSA-7cx3-6m66-7c5m published
May 15, 2025 by bdarnellHigh