Tornado has incomplete validation of cookie attributes

GHSA-78cv-mqj4-43f7

Published Mar 11, 2026 · Modified Mar 14, 2026

Description

Values passed to the domain, path, and samesite arguments of RequestHandler.set_cookie were not completely validated in versions of Tornado prior to 6.5.5. In particular, semicolons would be allowed, which could be used to inject attacker-controlled values for other cookie attributes.

References

WEB https://github.com/tornadoweb/tornado/security/advisories/GHSA-78cv-mqj4-43f7
WEB https://github.com/tornadoweb/tornado/commit/24a2d96ea115f663b223887deb0060f13974c104
PACKAGE https://github.com/tornadoweb/tornado
WEB https://github.com/tornadoweb/tornado/releases/tag/v6.5.5

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes