Announcing Tornado 6.5.3

[Ben Darnell]

Tornado 6.5.3 is now available on PyPI. This is a security release that fixes two denial-of-service vulnerabilities, as well as a more severe vulnerability in the (unlikely) event that you're passing untrusted data to the `reason` argument in `RequestHandler.set_status`.
https://www.tornadoweb.org/en/stable/releases/v6.5.3.html

Security fixes¶

• Fixed a denial-of-service vulnerability involving quadratic computation when parsingmultipart/form-data request bodies. CVE-2025-67726 Thanks to Finder16 for reporting this issue.

• Fixed a denial-of-service vulnerability involving quadratic computation when parsing repeated HTTP headers. CVE-2025-67725. Thanks to Finder16 for reporting this issue.

• Fixed a header injection and XSS vulnerability involving the reason argument toRequestHandler.set_status and tornado.web.HTTPError. CVE-2025-67724. Thanks to Finder16and Cheshire1225 for reporting this issue.

Demo changes¶

• Several demo applications bundled with the Tornado repo (blog, chat, facebook) had an open redirect vulnerability which has been fixed. This is not covered by a CVE or security advisory since the demo applications are not included as a part of the Tornado package when installed, but developers who have copied code from these demos may which to review their own applications for open redirects. Thanks to J1vvoo for reporting this issue.

• The s3server demo application contained some path traversal vulnerabilities. Since this demo application was not demonstrating any interesting aspects of Tornado, it has been deleted rather than being fixed. Thanks to J1vvoo for reporting this issue.