tornado 2.1.1

Direct Vulnerabilities

Known vulnerabilities in the tornado package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Operation on a Resource after Expiration or Release tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. Affected versions of this package are vulnerable to Operation on a Resource after Expiration or Release in the `CurlAsyncHTTPClient`, where per-request credentials such as client TLS certificates or proxy authentication details are not properly cleared when reusing handles across requests. An attacker can obtain sensitive credentials intended for a previous request by triggering a subsequent request to a different host or proxy, causing the credentials to be sent to an unintended recipient. Note: This is only exploitable if the application uses the optional `CurlAsyncHTTPClient` backend and is configured in a manner that matches the affected proxy-related usage patterns. Applications using the default `SimpleAsyncHTTPClient` backend are not affected, as it does not support proxies. How to fix Operation on a Resource after Expiration or Release? Upgrade `tornado` to version 6.5.7 or higher.	[,6.5.7)
M Improper Handling of Highly Compressed Data (Data Amplification) tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data (Data Amplification) in the `AsyncHTTPClient`. An attacker can cause excessive memory consumption by sending a response with a small compressed size that decompresses to a very large payload, leading to resource exhaustion. Note: This is only exploitable if `decompress_request=True` is set on `HTTPServer`. How to fix Improper Handling of Highly Compressed Data (Data Amplification)? Upgrade `tornado` to version 6.5.6 or higher.	[,6.5.6)
M Incorrect Resource Transfer Between Spheres tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. Affected versions of this package are vulnerable to Incorrect Resource Transfer Between Spheres via `SimpleAsyncHTTPClient`. An attacker can obtain sensitive credentials by exploiting cross-origin redirects when the `Authorization` header is improperly forwarded to a different origin. Note: This is only exploitable if `follow_redirects` is enabled and a redirect changes the scheme, host, or port of the URL. This is the default configuration. How to fix Incorrect Resource Transfer Between Spheres? Upgrade `tornado` to version 6.5.6 or higher.	[,6.5.6)
M Buffer Over-read tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. Affected versions of this package are vulnerable to Buffer Over-read via the `websocket_mask` function in the `speedups` component. An attacker can trigger a read past the end of the mask string by supplying a mask value shorter or longer than 4 bytes. This can expose adjacent process memory to the caller and can crash the interpreter when the optimized masking path is used. Notes The vulnerable path is the native `tornado.speedups` extension, which is optional and can be disabled by setting `TORNADO_EXTENSION=0`; deployments that never load the C extension use the pure-Python masking code instead. The behavior is only reachable from Tornado's XSRF token decoder when `xsrf_cookies=True` and the native extension is active. Workarounds Set `TORNADO_EXTENSION=0` before starting the application to disable the native `tornado.speedups` extension and avoid the vulnerable `websocket_mask` path, at the cost of reduced websocket performance. How to fix Buffer Over-read? Upgrade `tornado` to version 6.5.6 or higher.	[,6.5.6)
M Parameter Injection tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. Affected versions of this package are vulnerable to Parameter Injection in the `set_cookie()` function in `web.py‎`. An attacker can manipulate cookie attributes by injecting values after a semicolon into the `domain`, `path`, or `samesite` parameters. How to fix Parameter Injection? Upgrade `tornado` to version 6.5.5 or higher.	[,6.5.5)
H Allocation of Resources Without Limits or Throttling tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling during the parsing of `multipart/form-data` bodies containing an excessive number of parts. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `tornado` to version 6.5.5 or higher.	[,6.5.5)
H Excessive Iteration tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. Affected versions of this package are vulnerable to Excessive Iteration in the `_parseparam()` function. An attacker can cause the server to become unresponsive and consume excessive CPU resources by sending requests with a large number of maliciously crafted parameters in the `Content-Disposition` header. How to fix Excessive Iteration? Upgrade `tornado` to version 6.5.3 or higher.	[,6.5.3)
M HTTP Header Injection tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. Affected versions of this package are vulnerable to HTTP Header Injection via the `reason` argument in HTTP status handling. An attacker can inject arbitrary HTTP headers or execute malicious scripts in the browser by supplying crafted input to the `RequestHandler.set_status` or `tornado.web.HTTPError` parameters. ##Workaround This issue can be mitigated by controlling the usage of untrusted data for the `reason` argument. How to fix HTTP Header Injection? Upgrade `tornado` to version 6.5.3 or higher.	[,6.5.3)
H Inefficient Algorithmic Complexity tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity in the `HTTPHeaders.add` method. An attacker can cause the server's event loop to become unresponsive for an extended period by sending a single maliciously crafted HTTP request with repeated header names, leading to excessive string concatenation and high CPU usage. Note: This is only exploitable if the `max_header_size` configuration has been increased from its default value. How to fix Inefficient Algorithmic Complexity? Upgrade `tornado` to version 6.5.3 or higher.	[,6.5.3)
H Allocation of Resources Without Limits or Throttling tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the `multipart/form-data` parser. An attacker can generate an extremely high volume of logs, leading to a denial of service by sending malformed multipart form data that triggers continuous error logging. Note: This is only exploitable if the logging subsystem is synchronous. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `tornado` to version 6.5 or higher.	[,6.5)
M Regular Expression Denial of Service (ReDoS) tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to inefficient cookie parsing that results in quadratic performance. An attacker could cause `tornado` to consume excessive CPU resources and block the event loop through maliciously crafted cookies. How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `tornado` to version 6.4.2 or higher.	[,6.4.2)
M HTTP Request Smuggling tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. Affected versions of this package are vulnerable to HTTP Request Smuggling due to the handling of multiple `Transfer-Encoding: chunked` headers. An attacker can desynchronize the connection and potentially bypass ACLs or poison caches by sending crafted requests with duplicate `Transfer-Encoding: chunked` headers. How to fix HTTP Request Smuggling? Upgrade `tornado` to version 6.4.1 or higher.	[,6.4.1)
M Improper Neutralization of CRLF Sequences ('CRLF Injection') tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. Affected versions of this package are vulnerable to Improper Neutralization of CRLF Sequences ('CRLF Injection') through the `CurlAsyncHTTPClient` headers. An attacker can manipulate HTTP headers and construct unauthorized requests by injecting CRLF sequences into header values. How to fix Improper Neutralization of CRLF Sequences ('CRLF Injection')? Upgrade `tornado` to version 6.4.1 or higher.	[,6.4.1)
M HTTP Request Smuggling tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. Affected versions of this package are vulnerable to HTTP Request Smuggling via the `parse` and `validate strings` capabilities in the `int` constructor. Notes: This is possible when Tornado is deployed behind certain proxies that interpret those non-standard characters differently. This is known to apply to older versions of `haproxy`, although the current release is not affected. How to fix HTTP Request Smuggling? Upgrade `tornado` to version 6.3.3 or higher.	[,6.3.3)
M HTTP Request Smuggling tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. Affected versions of this package are vulnerable to HTTP Request Smuggling due to improper parsing of the `-`, `+`, and `_` characters in chunk length and `Content-Length` fields through the `int` constructor. Note: Exploiting this vulnerability is possible if Tornado is deployed behind certain proxies that interpret non-standard characters differently, such as older versions of haproxy. How to fix HTTP Request Smuggling? Upgrade `tornado` to version 6.3.3 or higher.	[,6.3.3)
L Open Redirect tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. Affected versions of this package are vulnerable to Open Redirect via the `StaticFileHandler` class, due to improper validation of the `default_filename` parameter in the `initialize` function. Exploiting this vulnerability is possible under specific configurations and might result in a redirect to an attacker-controlled site. Note: This vulnerability is still under analysis and we are following up with the maintainers to confirm it. How to fix Open Redirect? Upgrade `tornado` to version 6.3.2 or higher.	[,6.3.2)
H Denial of Service (DoS) tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. Affected versions of this package are vulnerable to Denial of Service (DoS) attacks due to not enforcing `max_size` when decompressing compressed zip messages. How to fix Denial of Service (DoS)? Upgrade `tornado` to version 5.1 or higher.	[,5.1)
M HTTP Response Splitting `tornado` is a Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. CRLF injection vulnerability in the tornado.web.RequestHandler.set_header function in Tornado before 2.2.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input.	[,2.2.1)
H Cross-site Request Forgery (CSRF) `tornado` is a Python web framework and asynchronous networking library, originally developed at FriendFeed. Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF).	[,3.2.2)
M Denial of Service (DoS) tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. Affected versions of this package are vulnerable to Denial of Service (DoS). Algorithmic complexity vulnerability in the ssl.match_hostname function in Python 3.2.x, 3.3.x, and earlier, and unspecified versions of python-backports-ssl_match_hostname as used for older Python versions, allows remote attackers to cause a denial of service (CPU consumption) via multiple wildcard characters in the common name in a certificate. How to fix Denial of Service (DoS)? Upgrade `tornado` to version 3.2 or higher.	[,3.2)

Vulnerability

Vulnerable Version

Operation on a Resource after Expiration or Release

tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.

Affected versions of this package are vulnerable to Operation on a Resource after Expiration or Release in the CurlAsyncHTTPClient, where per-request credentials such as client TLS certificates or proxy authentication details are not properly cleared when reusing handles across requests. An attacker can obtain sensitive credentials intended for a previous request by triggering a subsequent request to a different host or proxy, causing the credentials to be sent to an unintended recipient.

Note: This is only exploitable if the application uses the optional CurlAsyncHTTPClient backend and is configured in a manner that matches the affected proxy-related usage patterns. Applications using the default SimpleAsyncHTTPClient backend are not affected, as it does not support proxies.

How to fix Operation on a Resource after Expiration or Release?

Upgrade tornado to version 6.5.7 or higher.

[,6.5.7)

Improper Handling of Highly Compressed Data (Data Amplification)

tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.

Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data (Data Amplification) in the AsyncHTTPClient. An attacker can cause excessive memory consumption by sending a response with a small compressed size that decompresses to a very large payload, leading to resource exhaustion.

Note: This is only exploitable if decompress_request=True is set on HTTPServer.

How to fix Improper Handling of Highly Compressed Data (Data Amplification)?

Upgrade tornado to version 6.5.6 or higher.

[,6.5.6)

Incorrect Resource Transfer Between Spheres

tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.

Affected versions of this package are vulnerable to Incorrect Resource Transfer Between Spheres via SimpleAsyncHTTPClient. An attacker can obtain sensitive credentials by exploiting cross-origin redirects when the Authorization header is improperly forwarded to a different origin.

Note: This is only exploitable if follow_redirects is enabled and a redirect changes the scheme, host, or port of the URL. This is the default configuration.

How to fix Incorrect Resource Transfer Between Spheres?

Upgrade tornado to version 6.5.6 or higher.

[,6.5.6)

Buffer Over-read

tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.

Affected versions of this package are vulnerable to Buffer Over-read via the websocket_mask function in the speedups component. An attacker can trigger a read past the end of the mask string by supplying a mask value shorter or longer than 4 bytes. This can expose adjacent process memory to the caller and can crash the interpreter when the optimized masking path is used.

Notes

The vulnerable path is the native tornado.speedups extension, which is optional and can be disabled by setting TORNADO_EXTENSION=0; deployments that never load the C extension use the pure-Python masking code instead.
The behavior is only reachable from Tornado's XSRF token decoder when xsrf_cookies=True and the native extension is active.

Workarounds

Set TORNADO_EXTENSION=0 before starting the application to disable the native tornado.speedups extension and avoid the vulnerable websocket_mask path, at the cost of reduced websocket performance.

How to fix Buffer Over-read?

Upgrade tornado to version 6.5.6 or higher.

[,6.5.6)

Parameter Injection

tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.

Affected versions of this package are vulnerable to Parameter Injection in the set_cookie() function in web.py‎. An attacker can manipulate cookie attributes by injecting values after a semicolon into the domain, path, or samesite parameters.

How to fix Parameter Injection?

Upgrade tornado to version 6.5.5 or higher.

[,6.5.5)

Allocation of Resources Without Limits or Throttling

tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling during the parsing of multipart/form-data bodies containing an excessive number of parts.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade tornado to version 6.5.5 or higher.

[,6.5.5)

Excessive Iteration

tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.

Affected versions of this package are vulnerable to Excessive Iteration in the _parseparam() function. An attacker can cause the server to become unresponsive and consume excessive CPU resources by sending requests with a large number of maliciously crafted parameters in the Content-Disposition header.

How to fix Excessive Iteration?

Upgrade tornado to version 6.5.3 or higher.

[,6.5.3)

HTTP Header Injection

tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.

Affected versions of this package are vulnerable to HTTP Header Injection via the reason argument in HTTP status handling. An attacker can inject arbitrary HTTP headers or execute malicious scripts in the browser by supplying crafted input to the RequestHandler.set_status or tornado.web.HTTPError parameters.

##Workaround

This issue can be mitigated by controlling the usage of untrusted data for the reason argument.

How to fix HTTP Header Injection?

Upgrade tornado to version 6.5.3 or higher.

[,6.5.3)

Inefficient Algorithmic Complexity

tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.

Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity in the HTTPHeaders.add method. An attacker can cause the server's event loop to become unresponsive for an extended period by sending a single maliciously crafted HTTP request with repeated header names, leading to excessive string concatenation and high CPU usage.

Note:

This is only exploitable if the max_header_size configuration has been increased from its default value.

How to fix Inefficient Algorithmic Complexity?

Upgrade tornado to version 6.5.3 or higher.

[,6.5.3)

Allocation of Resources Without Limits or Throttling

tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the multipart/form-data parser. An attacker can generate an extremely high volume of logs, leading to a denial of service by sending malformed multipart form data that triggers continuous error logging.

Note:

This is only exploitable if the logging subsystem is synchronous.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade tornado to version 6.5 or higher.

[,6.5)

Regular Expression Denial of Service (ReDoS)

tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to inefficient cookie parsing that results in quadratic performance. An attacker could cause tornado to consume excessive CPU resources and block the event loop through maliciously crafted cookies.

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade tornado to version 6.4.2 or higher.

[,6.4.2)

HTTP Request Smuggling

tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.

Affected versions of this package are vulnerable to HTTP Request Smuggling due to the handling of multiple Transfer-Encoding: chunked headers. An attacker can desynchronize the connection and potentially bypass ACLs or poison caches by sending crafted requests with duplicate Transfer-Encoding: chunked headers.

How to fix HTTP Request Smuggling?

Upgrade tornado to version 6.4.1 or higher.

[,6.4.1)

Improper Neutralization of CRLF Sequences ('CRLF Injection')

tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.

Affected versions of this package are vulnerable to Improper Neutralization of CRLF Sequences ('CRLF Injection') through the CurlAsyncHTTPClient headers. An attacker can manipulate HTTP headers and construct unauthorized requests by injecting CRLF sequences into header values.

How to fix Improper Neutralization of CRLF Sequences ('CRLF Injection')?

Upgrade tornado to version 6.4.1 or higher.

[,6.4.1)

HTTP Request Smuggling

tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.

Affected versions of this package are vulnerable to HTTP Request Smuggling via the parse and validate strings capabilities in the int constructor.

Notes:

This is possible when Tornado is deployed behind certain proxies that interpret those non-standard characters differently.
This is known to apply to older versions of haproxy, although the current release is not affected.

How to fix HTTP Request Smuggling?

Upgrade tornado to version 6.3.3 or higher.

[,6.3.3)

HTTP Request Smuggling

tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.

Affected versions of this package are vulnerable to HTTP Request Smuggling due to improper parsing of the -, +, and _ characters in chunk length and Content-Length fields through the int constructor.

Note: Exploiting this vulnerability is possible if Tornado is deployed behind certain proxies that interpret non-standard characters differently, such as older versions of haproxy.

How to fix HTTP Request Smuggling?

Upgrade tornado to version 6.3.3 or higher.

[,6.3.3)

Open Redirect

tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.

Affected versions of this package are vulnerable to Open Redirect via the StaticFileHandler class, due to improper validation of the default_filename parameter in the initialize function. Exploiting this vulnerability is possible under specific configurations and might result in a redirect to an attacker-controlled site.

Note: This vulnerability is still under analysis and we are following up with the maintainers to confirm it.

How to fix Open Redirect?

Upgrade tornado to version 6.3.2 or higher.

[,6.3.2)

Denial of Service (DoS)

tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.

Affected versions of this package are vulnerable to Denial of Service (DoS) attacks due to not enforcing max_size when decompressing compressed zip messages.

How to fix Denial of Service (DoS)?

Upgrade tornado to version 5.1 or higher.

[,5.1)

HTTP Response Splitting

tornado is a Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. CRLF injection vulnerability in the tornado.web.RequestHandler.set_header function in Tornado before 2.2.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input.

[,2.2.1)

Cross-site Request Forgery (CSRF)

tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF).

[,3.2.2)

Denial of Service (DoS)

tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.

Affected versions of this package are vulnerable to Denial of Service (DoS). Algorithmic complexity vulnerability in the ssl.match_hostname function in Python 3.2.x, 3.3.x, and earlier, and unspecified versions of python-backports-ssl_match_hostname as used for older Python versions, allows remote attackers to cause a denial of service (CPU consumption) via multiple wildcard characters in the common name in a certificate.

How to fix Denial of Service (DoS)?

Upgrade tornado to version 3.2 or higher.

[,3.2)

tornado@2.1.1

Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically