Description
Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. This vulnerability is fixed in 6.5.5.
Published: 2026-03-11
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

In Tornado versions prior to 6.5.5 the server parses multipart/form-data synchronously on the main thread with only the max_body_size setting as a limit (default 100 MB). A request containing many individual parts can therefore consume excessive CPU and memory during parsing, causing the application to become unresponsive. The vulnerability is a classic resource exhaustion flaw (CWE‑400 and CWE‑770).

Affected Systems

The affected vendor is Tornado (tornadoweb:tornado). All releases up to and including 6.5.4 are vulnerable; the issue is resolved starting with Tornado 6.5.5.

Risk and Exploitability

The CVSS score of 8.7 indicates serious severity, but the EPSS score of less than 1 % suggests that exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog, and no public exploit has been reported. The likely attack vector is remote HTTP requests with large multipart bodies; however, direct evidence of an existing exploitation path is not provided in the data.

Generated by OpenCVE AI on March 17, 2026 at 15:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Tornado to version 6.5.5 or newer.

Generated by OpenCVE AI on March 17, 2026 at 15:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4520-1 python-tornado security update
Github GHSA Github GHSA GHSA-qjxf-f2mg-c6mc Tornado is vulnerable to DoS due to too many multipart parts
History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
References

Mon, 16 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:tornadoweb:tornado:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Fri, 13 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

threat_severity

Moderate

Thu, 12 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Tornadoweb
Tornadoweb tornado
Vendors & Products Tornadoweb
Tornadoweb tornado

Wed, 11 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
Description Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. This vulnerability is fixed in 6.5.5.
Title Tornado has a DoS due to too many multipart parts
Weaknesses CWE-400
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Tornadoweb Tornado
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T14:32:33.146Z

Reserved: 2026-03-10T15:40:10.481Z

Link: CVE-2026-31958

cve-icon Vulnrichment

Updated: 2026-03-12T19:55:47.727Z

cve-icon NVD

Status : Modified

Published: 2026-03-11T20:16:16.617

Modified: 2026-04-01T15:23:00.217

Link: CVE-2026-31958

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-11T19:27:23Z

Links: CVE-2026-31958 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:29:17Z

Weaknesses