CVE-2026-31958

Name of the Vulnerable Software and Affected Versions Tornado versions prior to 6.5.5

Description Tornado is a Python web framework and asynchronous networking library. In versions prior to 6.5.5, the only limit on the number of parts in multipart/form-data requests is the max body size setting, which defaults to 100MB. Because parsing of these requests occurs synchronously on the main thread, this can lead to a denial-of-service condition due to the computational cost of processing very large multipart bodies with numerous parts. Tornado 6.5.5 introduces new limits on the size and complexity of multipart bodies, including a default limit of 100 parts per request, configurable through tornado.httputil.ParseMultipartConfig. It is also possible to disable multipart/form-data parsing entirely if it is not required.

Recommendations Versions prior to 6.5.5 should be updated to version 6.5.5 or later.