Resource exhaustion in Tornadoweb Tornado

CVE-2026-31958

Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs s…

Vulnerability class: DoS (Denial of Service)

EPSS: 0.000 (8.4th percentile) — read the EPSS interpretation.

Affected products

Tornadoweb Tornado — versions < 6.5.5

Weakness classification (CWE)

CWE-400 — Uncontrolled Resource Consumption

References

https://github.com/tornadoweb/tornado/security/advisories/GHSA-qjxf-f2mg-c6mc (x_refsource_CONFIRM)