Vulnerability	Vulnerable Version
M Regular Expression Denial of Service (ReDoS) tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to inefficient cookie parsing that results in quadratic performance. An attacker could cause `tornado` to consume excessive CPU resources and block the event loop through maliciously crafted cookies. How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `tornado` to version 6.4.2 or higher.	[,6.4.2)
M HTTP Request Smuggling tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. Affected versions of this package are vulnerable to HTTP Request Smuggling due to the handling of multiple `Transfer-Encoding: chunked` headers. An attacker can desynchronize the connection and potentially bypass ACLs or poison caches by sending crafted requests with duplicate `Transfer-Encoding: chunked` headers. How to fix HTTP Request Smuggling? Upgrade `tornado` to version 6.4.1 or higher.	[,6.4.1)
M Improper Neutralization of CRLF Sequences ('CRLF Injection') tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. Affected versions of this package are vulnerable to Improper Neutralization of CRLF Sequences ('CRLF Injection') through the `CurlAsyncHTTPClient` headers. An attacker can manipulate HTTP headers and construct unauthorized requests by injecting CRLF sequences into header values. How to fix Improper Neutralization of CRLF Sequences ('CRLF Injection')? Upgrade `tornado` to version 6.4.1 or higher.	[,6.4.1)

Go back to all versions of this package