CVE-2026-31958 is a vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) affecting the Tornado Python web framework and asynchronous networking library. Tornado versions prior to 6.5.5 impose a limit on the total request body size via the max_body_size setting (default 100MB), but do not limit the number of parts in multipart/form-data requests. Multipart parsing occurs synchronously on the main event loop thread, meaning that processing a request with an extremely large number of parts can consume excessive CPU and memory resources, blocking the main thread and causing denial-of-service conditions. Because Tornado is often used to build web servers and APIs, this vulnerability can be exploited remotely by unauthenticated attackers sending specially crafted HTTP requests with many multipart sections. The vulnerability was publicly disclosed and assigned CVE-2026-31958 with a CVSS 4.0 score of 8.7, reflecting its high impact on availability and ease of exploitation (network vector, no privileges or user interaction required). The fix was introduced in Tornado 6.5.5, which adds limits to multipart parsing to prevent excessive resource consumption. No known exploits have been reported in the wild as of the publication date. This vulnerability highlights the risk of synchronous processing of untrusted input in event-driven frameworks, where blocking operations can degrade or halt service.

The primary impact of CVE-2026-31958 is denial-of-service (DoS) against Tornado-based web applications. Attackers can craft multipart/form-data requests with a large number of parts to exhaust CPU and memory resources on the server, blocking the main event loop and causing service unavailability. This can disrupt critical web services, APIs, and backend systems relying on Tornado, leading to downtime and potential loss of business continuity. Because the vulnerability requires no authentication and can be triggered remotely, it poses a significant risk to internet-facing applications. Organizations using Tornado in high-traffic or critical environments may experience degraded performance or outages, impacting users and customers. Additionally, resource exhaustion could be leveraged as part of a larger attack chain or to distract from other malicious activities. The lack of known exploits in the wild suggests limited current exploitation but does not preclude future attacks, especially as the vulnerability is publicly known and easy to test. Overall, the vulnerability threatens availability and operational stability of affected systems worldwide.

To mitigate CVE-2026-31958, organizations should upgrade all Tornado deployments to version 6.5.5 or later, where the multipart parsing limits have been implemented. If immediate upgrade is not feasible, consider implementing reverse proxy or web application firewall (WAF) rules to detect and block HTTP requests with unusually large numbers of multipart sections or excessively large bodies. Rate limiting and connection throttling can reduce the risk of resource exhaustion. Application developers should avoid synchronous blocking operations on the main event loop and consider asynchronous or streaming parsing methods for multipart data. Monitoring server resource usage and request patterns can help detect potential exploitation attempts. Additionally, review and tighten max_body_size settings to the minimum necessary for application functionality. Regularly audit dependencies and apply security patches promptly to reduce exposure to known vulnerabilities. Finally, conduct penetration testing and fuzzing on multipart request handling to identify similar weaknesses proactively.