OSV - Open Source Vulnerabilities

GHSA-fqwm-6jpj-5wxc

PyPI/tornado

Tornado has cookie attribute injection via .RequestHandler.set_cookie

03 Apr

Fix available
Severity - 7.2 (High)

GHSA-qjxf-f2mg-c6mc

PyPI/tornado

Tornado is vulnerable to DoS due to too many multipart parts

12 Mar

Fix available
Severity - 8.7 (High)

GHSA-78cv-mqj4-43f7

PyPI/tornado

Tornado has incomplete validation of cookie attributes

11 Mar

Fix available
Severity - 5.4 (Medium)

GHSA-7cx3-6m66-7c5m

PyPI/tornado

Tornado vulnerable to excessive logging caused by malformed multipart form data

16 May 2025

Fix available
Severity - 7.5 (High)

GHSA-8w49-h785-mj3c

PyPI/tornado

Tornado has an HTTP cookie parsing DoS vulnerability

22 Nov 2024

Fix available
Severity - 7.5 (High)

GHSA-w235-7p84-xx57

PyPI/tornado

Tornado has a CRLF injection in CurlAsyncHTTPClient headers

06 Jun 2024

Fix available
Severity - 6.5 (Medium)

GHSA-753j-mpmx-qq6g

PyPI/tornado

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in tornado

06 Jun 2024

Fix available
Severity - 5.3 (Medium)

GHSA-qppv-j76h-2rpx

PyPI/tornado

Tornado vulnerable to HTTP request smuggling via improper parsing of `Content-Length` fields and chunk lengths

14 Aug 2023

Fix available

GHSA-hj3f-6gcp-jg8j

PyPI/tornado

Open redirect in Tornado

25 May 2023

Fix available
Severity - 5.3 (Medium)

PYSEC-2023-75

PyPI/tornado

See record for full details

25 May 2023

Fix available

GHSA-8vpw-mgpf-mpvv

PyPI/tornado

Tornado XSRF cookie allows side-channel attack against TLS (BREACH attack)

17 May 2022

Fix available
Severity - 7.1 (High)

GHSA-f7fv-v9rh-prvc

PyPI/tornado

Tornado CRLF injection vulnerability

17 May 2022

Fix available
Severity - 8.7 (High)

PYSEC-2020-213

PyPI/tornado
github.com/tornadoweb/tornado

See record for full details

24 Jan 2020

Fix available

PYSEC-2012-5

PyPI/tornado

See record for full details

23 May 2012

Fix available