Tornado is a Python web framework and asynchronous networking library. Prior to 6.5.6, Tornado gzip decompression routines processed limited-size chunks but did not enforce an overall limit on accumulated decompressed chunks, allowing a malicious server accessed by SimpleAsyncHTTPClient or an HTTPServer configured with decompress_request=True to consume effectively unlimited memory. This issue is fixed in version 6.5.6.
Metrics
Affected Vendors & Products
References
History
Thu, 16 Jul 2026 15:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 15 Jul 2026 15:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Tornadoweb
Tornadoweb tornado |
|
| Vendors & Products |
Tornadoweb
Tornadoweb tornado |
Tue, 14 Jul 2026 21:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Tornado is a Python web framework and asynchronous networking library. Prior to 6.5.6, Tornado gzip decompression routines processed limited-size chunks but did not enforce an overall limit on accumulated decompressed chunks, allowing a malicious server accessed by SimpleAsyncHTTPClient or an HTTPServer configured with decompress_request=True to consume effectively unlimited memory. This issue is fixed in version 6.5.6. | |
| Title | tornado AsyncHTTPClient accumulates decompressed chunks without size limit (gzip bomb) | |
| Weaknesses | CWE-409 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published: 2026-07-14T20:45:02.982Z
Updated: 2026-07-16T14:56:38.904Z
Reserved: 2026-06-01T22:03:19.640Z
Link: CVE-2026-49855
Updated: 2026-07-16T14:56:33.588Z
No data.
No data.