Announcing Tornado 6.5.6

1 view
Skip to first unread message

Ben Darnell

unread,
May 27, 2026, 12:05:40 PM (9 days ago) May 27
to python-torn...@googlegroups.com, Tornado Mailing List
Tornado 6.5.6 is now available on PyPI. This release fixes several security vulnerabilities, the most severe of which are in SimpleAsyncHTTPClient. 


What’s new in Tornado 6.5.6

May 27, 2026

Security fixes

  • SimpleAsyncHTTPClient now strips the Authorization and Cookie headers from the request when following a redirect to a different origin. This matches the default behavior of CurlAsyncHTTPClient. Applications that need different behavior here can set follow_redirects=False and handle redirects manually. Thanks to [Yannick Wang](https://github.com/noobone123) for being first to report this issue, as well as additional reporters [Kai Aizen](https://github.com/SnailSploit), [HunSec](https://github.com/0xHunSec), and [Thai Son Dinh](https://github.com/sondt99).

  • SimpleAsyncHTTPClient now enforces max_body_size on the decompressed size of the response, rather than the compressed size. This prevents a denial-of-service attack via a very large compressed response. Thanks to [Yuichiro Kedashiro](https://github.com/yuui25) for reporting this issue.

  • Fixed a bug in the C extension that could have read up to three bytes past the end of an input array. Thanks to [Thai Son Dinh](https://github.com/sondt99) for reporting this issue.

  • OpenIDMixin has improved parsing for the check_authentication response. Thanks to [Yannick Wang](https://github.com/noobone123) for reporting this issue.

Bug fixes

  • CurlAsyncHTTPClient has been updated to use non-deprecated APIs, avoiding deprecation warnings with recent versions of pycurl.


Reply all
Reply to author
Forward
0 new messages