Name of the Vulnerable Software and Affected Versions Tornado versions prior to the version that includes the fix for this issue

Description The issue arises from Tornado's interpretation of non-standard characters in chunk length and Content-Length values, which can lead to request smuggling when deployed behind certain proxies. Specifically, Tornado uses the int constructor to parse Content-Length headers and chunk lengths, allowing characters like -, +, and that are not permitted by HTTP RFCs. This can be exploited when Tornado is used with older versions of haproxy, although the current haproxy release is not affected.

Recommendations For Tornado versions prior to the fixed version, consider disabling the Content-Length header parsing or restrict the use of non-standard characters in chunk length and Content-Length values until a patch is available. As a temporary workaround, restrict access to the tornado/http1connection.py module to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.