High severityNVD Advisory· Published May 23, 2012· Updated Apr 29, 2026
CVE-2012-2374
CVE-2012-2374
Description
CRLF injection vulnerability in the tornado.web.RequestHandler.set_header function in Tornado before 2.2.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tornadoPyPI | < 2.2.1 | 2.2.1 |
Affected products
10cpe:2.3:a:tornadoweb:tornado:*:*:*:*:*:*:*:*+ 9 more
- cpe:2.3:a:tornadoweb:tornado:*:*:*:*:*:*:*:*range: <=2.2
- cpe:2.3:a:tornadoweb:tornado:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:tornadoweb:tornado:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:tornadoweb:tornado:1.1:*:*:*:*:*:*:*
- cpe:2.3:a:tornadoweb:tornado:1.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:tornadoweb:tornado:1.2:*:*:*:*:*:*:*
- cpe:2.3:a:tornadoweb:tornado:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:tornadoweb:tornado:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:tornadoweb:tornado:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:tornadoweb:tornado:2.1.1:*:*:*:*:*:*:*
Patches
11ae91f6d58e6Fix reponse header sanitization.
2 files changed · +16 −1
tornado/test/web_test.py+15 −0 modified@@ -335,6 +335,16 @@ def get(self): raise Exception("didn't get permanent or status arguments") +class HeaderInjectionHandler(RequestHandler): + def get(self): + try: + self.set_header("X-Foo", "foo\r\nX-Bar: baz") + raise Exception("Didn't get expected exception") + except ValueError, e: + assert "Unsafe header value" in str(e) + self.finish(b("ok")) + + class WebTest(AsyncHTTPTestCase, LogTrapTestCase): def get_app(self): loader = DictLoader({ @@ -359,6 +369,7 @@ def get_app(self): url("/flow_control", FlowControlHandler), url("/multi_header", MultiHeaderHandler), url("/redirect", RedirectHandler), + url("/header_injection", HeaderInjectionHandler), ] return Application(urls, template_loader=loader, @@ -452,6 +463,10 @@ def test_redirect(self): response = self.fetch("/redirect?status=307", follow_redirects=False) self.assertEqual(response.code, 307) + def test_header_injection(self): + response = self.fetch("/header_injection") + self.assertEqual(response.body, b("ok")) + class ErrorResponseTest(AsyncHTTPTestCase, LogTrapTestCase): def get_app(self):
tornado/web.py+1 −1 modified@@ -275,7 +275,7 @@ def _convert_header_value(self, value): # If \n is allowed into the header, it is possible to inject # additional headers or split the request. Also cap length to # prevent obviously erroneous values. - if len(value) > 4000 or re.match(b(r"[\x00-\x1f]"), value): + if len(value) > 4000 or re.search(b(r"[\x00-\x1f]"), value): raise ValueError("Unsafe header value %r", value) return value
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
11- www.tornadoweb.org/documentation/releases/v2.2.1.htmlnvdVendor AdvisoryWEB
- github.com/advisories/GHSA-f7fv-v9rh-prvcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2012-2374ghsaADVISORY
- openwall.com/lists/oss-security/2012/05/18/12nvdWEB
- www.openwall.com/lists/oss-security/2012/05/18/6nvdWEB
- github.com/pypa/advisory-database/tree/main/vulns/tornado/PYSEC-2012-5.yamlghsaWEB
- github.com/tornadoweb/tornado/commit/1ae91f6d58e6257e0ab49d295d8741ce1727bdb7ghsaWEB
- web.archive.org/web/20140720192646/http://secunia.com/advisories/49185ghsaWEB
- web.archive.org/web/20200229124524/http://www.securityfocus.com/bid/53612ghsaWEB
- secunia.com/advisories/49185nvd
- www.securityfocus.com/bid/53612nvd
News mentions
0No linked articles in our index yet.