Announcing Tornado 6.5.5

0 views

Skip to first unread message

Ben Darnell

unread,

Mar 10, 2026, 8:46:32 PM (4 days ago) Mar 10

to python-torn...@googlegroups.com, Tornado Mailing List

Tornado 6.5.5 is now available on PyPI. This is a security release that fixes several security issues, the most serious of which is a denial-of-service vulnerability in the parsing of multipart/form-data requests (CVE-2026-31958).

https://www.tornadoweb.org/en/stable/releases/v6.5.5.html

What’s new in Tornado 6.5.5¶

Mar 10, 2026¶

Security fixes¶

multipart/form-data requests are now limited to 100 parts by default, to prevent a denial-of-service attack via very large requests with many parts. This limit is configurable via tornado.httputil.ParseMultipartConfig. Multipart parsing can also be disabled completely if not required for the application. Thanks to [0x-Apollyon](https://github.com/0x-Apollyon) and [bekkaze](https://github.com/bekkaze) for reporting this issue.
The domain, path, and samesite arguments to RequestHandler.set_cookie are now validated for illegal characters, which could be abused to inject other attributes on the cookie. Thanks to Dhiral Vyas (Praetorian) for reporting this issue.
Carriage return characters are no longer accepted in multipart/form-data headers. Thanks to [sergeykochanov](https://github.com/sergeykochanov) for reporting this issue.

Reply all

Reply to author

Forward

0 new messages