PYSEC-2026-3389

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/tornado/PYSEC-2026-3389.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-3389
Aliases
Published
2026-07-13T15:46:17.106405Z
Modified
2026-07-13T16:33:26.893507727Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
tornado AsyncHTTPClient accumulates decompressed chunks without size limit (gzip bomb)
Details

Tornado's gzip decompression routines work in limited-size chunks, but have no overall limit for the total size of decompressed chunks that they will accumulate (There has always been a limit for the total compressed size). This allows a malicious server to consume effectively unlimited amounts of memory if it is accessed via SimpleAsyncHTTPClient in its default configuration. HTTPServer is not affected in its default configuration, but it is if decompress_request=True is set.

This bug is fixed in Tornado 6.5.6. max_body_size is now checked both for the compressed and cumulative decompressed size of the response.

Prior to upgrading, this issue can be mitigated by setting decompress_response=False or using CurlAsyncHTTPClient.

References

Affected packages

PyPI / tornado

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.5.6

Affected versions

0.*
0.2
1.*
1.0
1.1
1.1.1
1.2
1.2.1
2.*
2.0
2.1
2.1.1
2.2
2.2.1
2.3
2.4
2.4.1
3.*
3.0
3.0.1
3.0.2
3.1
3.1.1
3.2
3.2.1
3.2.2
4.*
4.0
4.0.1
4.0.2
4.1b2
4.1
4.2b1
4.2
4.2.1
4.3b1
4.3b2
4.3
4.4b1
4.4
4.4.1
4.4.2
4.4.3
4.5b1
4.5b2
4.5
4.5.1
4.5.2
4.5.3
5.*
5.0a1
5.0b1
5.0
5.0.1
5.0.2
5.1b1
5.1
5.1.1
6.*
6.0a1
6.0b1
6.0
6.0.1
6.0.2
6.0.3
6.0.4
6.1b1
6.1b2
6.1
6.2b1
6.2b2
6.2
6.3b1
6.3
6.3.1
6.3.2
6.3.3
6.4b1
6.4
6.4.1
6.4.2
6.5b1
6.5
6.5.1
6.5.2
6.5.3
6.5.4
6.5.5

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/tornado/PYSEC-2026-3389.yaml"