CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47287 – Tornado vulnerable to excessive logging caused by malformed multipart form data
https://notcve.org/view.php?id=CVE-2025-47287
15 May 2025 — Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous. All versions of Tornado prior to 6.5.0 are affected. • https://github.com/tornadoweb/tornado/commit/b39b892bf78fe8fea01dd45199aa88307e7162f3 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52804 – Tornado has HTTP cookie parsing DoS vulnerability
https://notcve.org/view.php?id=CVE-2024-52804
22 Nov 2024 — Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. Version 6.4.2 fixes the issue. A flaw was found in Tornado's HTTP cookie parsing algorithm. • https://github.com/advisories/GHSA-7pwv-g7hj-39pr • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28370 – python-tornado: open redirect vulnerability in StaticFileHandler under certain configurations
https://notcve.org/view.php?id=CVE-2023-28370
25 May 2023 — Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL. A vulnerability was found in the python-tornado library. This flaw causes an open redirect vulnerability that allows a remote, unauthenticated attacker to redirect a user to an arbitrary website and conduct a phishing attack by having the user access a specially crafted URL. It was d... • https://github.com/tornadoweb/tornado/releases/tag/v6.3.2 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 9.0EPSS: 1%CPEs: 1EXPL: 1CVE-2023-25266
https://notcve.org/view.php?id=CVE-2023-25266
28 Feb 2023 — An issue was discovered in Docmosis Tornado prior to version 2.9.5. An authenticated attacker can change the Office directory setting pointing to an arbitrary remote network path. This triggers the execution of the soffice binary under the attackers control leading to arbitrary remote code execution (RCE). • https://frycos.github.io/vulns4free/2023/01/24/0days-united-nations.html •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-25265
https://notcve.org/view.php?id=CVE-2023-25265
28 Feb 2023 — Docmosis Tornado <= 2.9.4 is vulnerable to Directory Traversal leading to the disclosure of arbitrary content on the file system. • https://frycos.github.io/vulns4free/2023/01/24/0days-united-nations.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-25264
https://notcve.org/view.php?id=CVE-2023-25264
28 Feb 2023 — An issue was discovered in Docmosis Tornado prior to version 2.9.5. An unauthenticated attacker can bypass the authentication check filter completely by introducing a specially crafted request with relative path segments. • https://frycos.github.io/vulns4free/2023/01/24/0days-united-nations.html • CWE-287: Improper Authentication •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2014-9720
https://notcve.org/view.php?id=CVE-2014-9720
24 Jan 2020 — Tornado before 3.2.2 sends arbitrary responses that contain a fixed CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests. Tornado versiones anteriores a 3.2.2, envía respuestas arbitrarias que contienen un token de tipo CSRF fijo y pueden ser enviadas con compresión HTTP, lo que facilita a atacantes remotos conducir un ataque de tipo BREACH y determinar este token por medio de una ser... • http://openwall.com/lists/oss-security/2015/05/19/4 • CWE-203: Observable Discrepancy •
CVSS: 5.3EPSS: 0%CPEs: 10EXPL: 0CVE-2012-2374
https://notcve.org/view.php?id=CVE-2012-2374
23 May 2012 — CRLF injection vulnerability in the tornado.web.RequestHandler.set_header function in Tornado before 2.2.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input. La vulnerabilidad de inyección CRLF en la función tornado.web.RequestHandler.set_header en Tornado anterior a v2.2.1 permite a atacantes remotos inyectar cabeceras HTTP arbitrarias y llevar a cabo ataques de división de respuesta HTTP mediante una entrada manipulada. • http://openwall.com/lists/oss-security/2012/05/18/12 • CWE-20: Improper Input Validation •