Denial-of-Service Vulnerability in Tornado Web Framework by Tornado Software
CVE-2026-31958

8.7HIGH

Key Information:

Vendor

Tornadoweb

Status
Vendor
CVE Published:
11 March 2026

What is CVE-2026-31958?

Tornado, a popular Python web framework and asynchronous networking library, has a vulnerability in versions prior to 6.5.5 that allows for denial-of-service attacks. This occurs due to the lack of restrictions on multipart/form-data parts, wherein the only limit is the max_body_size setting, which defaults to 100MB. When large multipart bodies with numerous parts are parsed synchronously on the main thread, it can overwhelm the server, potentially leading to performance degradation or outages. Users are strongly advised to upgrade to version 6.5.5 or later to mitigate this risk.

Affected Version(s)

tornado < 6.5.5

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.