CVE-2026-31958

EUVD-2026-11323
Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. This vulnerability is fixed in 6.5.5.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
tornadowebtornado
𝑥
< 6.5.5
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python-tornado
bookworm
vulnerable
bookworm (security)
vulnerable
bullseye
vulnerable
bullseye (security)
6.1.0-1+deb11u4
fixed
forky
6.5.5-1
fixed
sid
6.5.5-1
fixed
trixie
vulnerable
trixie (security)
vulnerable
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python-tornado
bionic
Fixed 4.5.3-1ubuntu0.2+esm3
released
focal
Fixed 6.0.3+really5.1.1-3ubuntu0.1~esm5
released
jammy
Fixed 6.1.0-3ubuntu0.1~esm5
released
noble
Fixed 6.4.0-1ubuntu0.5
released
questing
Fixed 6.4.2-3ubuntu0.3
released
resolute
needed
xenial
Fixed 4.2.1-1ubuntu3.1+esm3
released
Common Weakness Enumeration
References
https://github.com/tornadoweb/tornado/security/advisories/GHSA-qjxf-f2mg-c6mc
https://lists.debian.org/debian-lts-announce/2026/04/msg00000.html