tornado 6.2b2 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the tornado package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Allocation of Resources Without Limits or Throttling tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the `multipart/form-data` parser. An attacker can generate an extremely high volume of logs, leading to a denial of service by sending malformed multipart form data that triggers continuous error logging. Note: This is only exploitable if the logging subsystem is synchronous. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `tornado` to version 6.5 or higher.	[,6.5)
M Regular Expression Denial of Service (ReDoS) tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to inefficient cookie parsing that results in quadratic performance. An attacker could cause `tornado` to consume excessive CPU resources and block the event loop through maliciously crafted cookies. How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `tornado` to version 6.4.2 or higher.	[,6.4.2)
M HTTP Request Smuggling tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. Affected versions of this package are vulnerable to HTTP Request Smuggling due to the handling of multiple `Transfer-Encoding: chunked` headers. An attacker can desynchronize the connection and potentially bypass ACLs or poison caches by sending crafted requests with duplicate `Transfer-Encoding: chunked` headers. How to fix HTTP Request Smuggling? Upgrade `tornado` to version 6.4.1 or higher.	[,6.4.1)
M Improper Neutralization of CRLF Sequences ('CRLF Injection') tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. Affected versions of this package are vulnerable to Improper Neutralization of CRLF Sequences ('CRLF Injection') through the `CurlAsyncHTTPClient` headers. An attacker can manipulate HTTP headers and construct unauthorized requests by injecting CRLF sequences into header values. How to fix Improper Neutralization of CRLF Sequences ('CRLF Injection')? Upgrade `tornado` to version 6.4.1 or higher.	[,6.4.1)
M HTTP Request Smuggling tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. Affected versions of this package are vulnerable to HTTP Request Smuggling via the `parse` and `validate strings` capabilities in the `int` constructor. Notes: This is possible when Tornado is deployed behind certain proxies that interpret those non-standard characters differently. This is known to apply to older versions of `haproxy`, although the current release is not affected. How to fix HTTP Request Smuggling? Upgrade `tornado` to version 6.3.3 or higher.	[,6.3.3)
M HTTP Request Smuggling tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. Affected versions of this package are vulnerable to HTTP Request Smuggling due to improper parsing of the `-`, `+`, and `_` characters in chunk length and `Content-Length` fields through the `int` constructor. Note: Exploiting this vulnerability is possible if Tornado is deployed behind certain proxies that interpret non-standard characters differently, such as older versions of haproxy. How to fix HTTP Request Smuggling? Upgrade `tornado` to version 6.3.3 or higher.	[,6.3.3)
L Open Redirect tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. Affected versions of this package are vulnerable to Open Redirect via the `StaticFileHandler` class, due to improper validation of the `default_filename` parameter in the `initialize` function. Exploiting this vulnerability is possible under specific configurations and might result in a redirect to an attacker-controlled site. Note: This vulnerability is still under analysis and we are following up with the maintainers to confirm it. How to fix Open Redirect? Upgrade `tornado` to version 6.3.2 or higher.	[,6.3.2)

Vulnerability

Vulnerable Version

Allocation of Resources Without Limits or Throttling

tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the multipart/form-data parser. An attacker can generate an extremely high volume of logs, leading to a denial of service by sending malformed multipart form data that triggers continuous error logging.

Note:

This is only exploitable if the logging subsystem is synchronous.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade tornado to version 6.5 or higher.

[,6.5)

Regular Expression Denial of Service (ReDoS)

tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to inefficient cookie parsing that results in quadratic performance. An attacker could cause tornado to consume excessive CPU resources and block the event loop through maliciously crafted cookies.

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade tornado to version 6.4.2 or higher.

[,6.4.2)

HTTP Request Smuggling

tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.

Affected versions of this package are vulnerable to HTTP Request Smuggling due to the handling of multiple Transfer-Encoding: chunked headers. An attacker can desynchronize the connection and potentially bypass ACLs or poison caches by sending crafted requests with duplicate Transfer-Encoding: chunked headers.

How to fix HTTP Request Smuggling?

Upgrade tornado to version 6.4.1 or higher.

[,6.4.1)

Improper Neutralization of CRLF Sequences ('CRLF Injection')

tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.

Affected versions of this package are vulnerable to Improper Neutralization of CRLF Sequences ('CRLF Injection') through the CurlAsyncHTTPClient headers. An attacker can manipulate HTTP headers and construct unauthorized requests by injecting CRLF sequences into header values.

How to fix Improper Neutralization of CRLF Sequences ('CRLF Injection')?

Upgrade tornado to version 6.4.1 or higher.

[,6.4.1)

HTTP Request Smuggling

tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.

Affected versions of this package are vulnerable to HTTP Request Smuggling via the parse and validate strings capabilities in the int constructor.

Notes:

This is possible when Tornado is deployed behind certain proxies that interpret those non-standard characters differently.
This is known to apply to older versions of haproxy, although the current release is not affected.

How to fix HTTP Request Smuggling?

Upgrade tornado to version 6.3.3 or higher.

[,6.3.3)

HTTP Request Smuggling

tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.

Affected versions of this package are vulnerable to HTTP Request Smuggling due to improper parsing of the -, +, and _ characters in chunk length and Content-Length fields through the int constructor.

Note: Exploiting this vulnerability is possible if Tornado is deployed behind certain proxies that interpret non-standard characters differently, such as older versions of haproxy.

How to fix HTTP Request Smuggling?

Upgrade tornado to version 6.3.3 or higher.

[,6.3.3)

Open Redirect

tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.

Affected versions of this package are vulnerable to Open Redirect via the StaticFileHandler class, due to improper validation of the default_filename parameter in the initialize function. Exploiting this vulnerability is possible under specific configurations and might result in a redirect to an attacker-controlled site.

Note: This vulnerability is still under analysis and we are following up with the maintainers to confirm it.

How to fix Open Redirect?

Upgrade tornado to version 6.3.2 or higher.

[,6.3.2)

tornado@6.2b2 vulnerabilities

Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically