Tornado is vulnerable to DoS due to too many multipart parts
GHSA-qjxf-f2mg-c6mc · CVE-2026-31958 · PYSEC-2026-140
Published · Modified
Description
In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts.
Tornado 6.5.5 introduces new limits on the size and complexity of multipart bodies, including a default limit of 100 parts per request. These limits are configurable if needed; see tornado.httputil.ParseMultipartConfig. It is also now possible to disable multipart/form-data parsing entirely if it is not required for the application.
References
- WEB https://github.com/tornadoweb/tornado/security/advisories/GHSA-qjxf-f2mg-c6mc
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-31958
- WEB https://github.com/tornadoweb/tornado/commit/119a195e290c43ad2d63a2cf012c29d43d6ed839
- WEB https://github.com/pypa/advisory-database/tree/main/vulns/tornado/PYSEC-2026-140.yaml
- PACKAGE https://github.com/tornadoweb/tornado
- WEB https://github.com/tornadoweb/tornado/releases/tag/v6.5.5
- WEB https://lists.debian.org/debian-lts-announce/2026/04/msg00000.html
Ready to move
Start Securing
Free, no credit card | First findings in minutes