rpm package
opensuse/python-tornado6&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/python-tornado6&distro=openSUSE%20Tumbleweed
Vulnerabilities (9)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-49853 | hig | — | < 6.5.7-1.1 | 6.5.7-1.1 | Jun 15, 2026 | ## Summary When SimpleAsyncHTTPClient follows a 3xx redirect, it shallow-copies the original HTTPRequest, rewrites the URL, decrements max_redirects, and removes only the Host header. It does not clear Authorization, auth_username, auth_password, or auth_mode when the redirect t | |
| CVE-2026-49855 | hig | — | < 6.5.7-1.1 | 6.5.7-1.1 | Jun 15, 2026 | Tornado's gzip decompression routines work in limited-size chunks, but have no overall limit for the total size of decompressed chunks that they will accumulate (There has always been a limit for the total *compressed* size). This allows a malicious server to consume effectively | |
| CVE-2026-49854 | low | — | < 6.5.7-1.1 | 6.5.7-1.1 | Jun 12, 2026 | ### Summary Tornado's optional native extension `tornado.speedups` implements `websocket_mask` without validating that the `mask` argument is exactly four bytes long. The C function reads four bytes from `mask` unconditionally, even when Python passes a shorter byte string. This | |
| CVE-2026-31958 | Hig | 7.5 | < 6.5.5-1.1 | 6.5.5-1.1 | Mar 11, 2026 | Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this cre | |
| CVE-2025-67726 | — | < 6.5.4-1.1 | 6.5.4-1.1 | Dec 12, 2025 | Tornado is a Python web framework and asynchronous networking library. Versions 6.5.2 and below use an inefficient algorithm when parsing parameters for HTTP header values, potentially causing a DoS. The _parseparam function in httputil.py is used to parse specific HTTP header va | ||
| CVE-2025-67725 | — | < 6.5.4-1.1 | 6.5.4-1.1 | Dec 12, 2025 | Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, a single maliciously crafted HTTP request can block the server's event loop for an extended period, caused by the HTTPHeaders.add method. The function accumulates values using stri | ||
| CVE-2025-67724 | — | < 6.5.4-1.1 | 6.5.4-1.1 | Dec 12, 2025 | Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, the supplied reason phrase is used unescaped in HTTP headers (where it could be used for header injection) or in HTML in the default error page (where it could be used for XSS) and | ||
| CVE-2025-47287 | — | < 6.5-1.1 | 6.5-1.1 | May 15, 2025 | Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high vo | ||
| CVE-2024-52804 | — | < 6.4.2-1.1 | 6.4.2-1.1 | Nov 22, 2024 | Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This par |
- affected < 6.5.7-1.1fixed 6.5.7-1.1
## Summary When SimpleAsyncHTTPClient follows a 3xx redirect, it shallow-copies the original HTTPRequest, rewrites the URL, decrements max_redirects, and removes only the Host header. It does not clear Authorization, auth_username, auth_password, or auth_mode when the redirect t
- affected < 6.5.7-1.1fixed 6.5.7-1.1
Tornado's gzip decompression routines work in limited-size chunks, but have no overall limit for the total size of decompressed chunks that they will accumulate (There has always been a limit for the total *compressed* size). This allows a malicious server to consume effectively
- affected < 6.5.7-1.1fixed 6.5.7-1.1
### Summary Tornado's optional native extension `tornado.speedups` implements `websocket_mask` without validating that the `mask` argument is exactly four bytes long. The C function reads four bytes from `mask` unconditionally, even when Python passes a shorter byte string. This
- affected < 6.5.5-1.1fixed 6.5.5-1.1
Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this cre
- CVE-2025-67726Dec 12, 2025affected < 6.5.4-1.1fixed 6.5.4-1.1
Tornado is a Python web framework and asynchronous networking library. Versions 6.5.2 and below use an inefficient algorithm when parsing parameters for HTTP header values, potentially causing a DoS. The _parseparam function in httputil.py is used to parse specific HTTP header va
- CVE-2025-67725Dec 12, 2025affected < 6.5.4-1.1fixed 6.5.4-1.1
Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, a single maliciously crafted HTTP request can block the server's event loop for an extended period, caused by the HTTPHeaders.add method. The function accumulates values using stri
- CVE-2025-67724Dec 12, 2025affected < 6.5.4-1.1fixed 6.5.4-1.1
Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, the supplied reason phrase is used unescaped in HTTP headers (where it could be used for header injection) or in HTML in the default error page (where it could be used for XSS) and
- CVE-2025-47287May 15, 2025affected < 6.5-1.1fixed 6.5-1.1
Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high vo
- CVE-2024-52804Nov 22, 2024affected < 6.4.2-1.1fixed 6.4.2-1.1
Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This par