Denial-of-Service Vulnerability in Tornado Web Framework by Tornado Software
CVE-2026-31958
8.7HIGH
What is CVE-2026-31958?
Tornado, a popular Python web framework and asynchronous networking library, has a vulnerability in versions prior to 6.5.5 that allows for denial-of-service attacks. This occurs due to the lack of restrictions on multipart/form-data parts, wherein the only limit is the max_body_size setting, which defaults to 100MB. When large multipart bodies with numerous parts are parsed synchronously on the main thread, it can overwhelm the server, potentially leading to performance degradation or outages. Users are strongly advised to upgrade to version 6.5.5 or later to mitigate this risk.
Affected Version(s)
tornado < 6.5.5
