Security: tornadoweb/tornado
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
Quadratic DoS via Crafted Multipart ParametersGHSA-jhmp-mqwm-3gq8 published
Dec 11, 2025 by bdarnellHigh -
Quadratic DoS via Repeated Header CoalescingGHSA-c98p-7wgm-6p64 published
Dec 11, 2025 by bdarnellHigh -
Header injection and XSS via `reason` argumentGHSA-pr2v-jx2c-wg9f published
Dec 11, 2025 by bdarnellModerate -
Excessive logging caused by malformed multipart form dataGHSA-7cx3-6m66-7c5m published
May 15, 2025 by bdarnellHigh -
HTTP cookie parsing DoS vulnerabilityGHSA-8w49-h785-mj3c published
Nov 22, 2024 by bdarnellHigh -
CRLF injection in CurlAsyncHTTPClient headersGHSA-w235-7p84-xx57 published
Jun 6, 2024 by bdarnellModerate -
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in tornadoGHSA-753j-mpmx-qq6g published
Jun 6, 2024 by bdarnellModerate -
HTTP request smuggling via improper parsing of `Content-Length` fields and chunk lengthsGHSA-qppv-j76h-2rpx published
Aug 12, 2023 by bdarnellModerate