CVE-2026-31958: CWE-400: Uncontrolled Resource Consumption in tornadoweb tornado
Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. This vulnerability is fixed in 6.5.5.
AI Analysis
Technical Summary
Tornado versions before 6.5.5 allow denial-of-service attacks via uncontrolled resource consumption. The vulnerability arises because multipart/form-data parsing occurs synchronously on the main thread and is only limited by the max_body_size setting (default 100MB). Attackers can craft requests with many multipart parts, causing excessive CPU and memory usage during parsing. This vulnerability is tracked as CWE-400 and has a CVSS 4.0 score of 8.7 (high severity). The issue is resolved in Tornado 6.5.5.
Potential Impact
An attacker can cause denial-of-service by sending multipart/form-data requests with a large number of parts, leading to high CPU and memory consumption on the Tornado server. This can degrade or disrupt service availability. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade Tornado to version 6.5.5 or later, where this vulnerability is fixed. Since the vendor advisory confirms the fix in 6.5.5, applying this official patch is the recommended remediation. No other mitigations are indicated.
CVE-2026-31958: CWE-400: Uncontrolled Resource Consumption in tornadoweb tornado
Description
Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. This vulnerability is fixed in 6.5.5.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Tornado versions before 6.5.5 allow denial-of-service attacks via uncontrolled resource consumption. The vulnerability arises because multipart/form-data parsing occurs synchronously on the main thread and is only limited by the max_body_size setting (default 100MB). Attackers can craft requests with many multipart parts, causing excessive CPU and memory usage during parsing. This vulnerability is tracked as CWE-400 and has a CVSS 4.0 score of 8.7 (high severity). The issue is resolved in Tornado 6.5.5.
Potential Impact
An attacker can cause denial-of-service by sending multipart/form-data requests with a large number of parts, leading to high CPU and memory consumption on the Tornado server. This can degrade or disrupt service availability. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade Tornado to version 6.5.5 or later, where this vulnerability is fixed. Since the vendor advisory confirms the fix in 6.5.5, applying this official patch is the recommended remediation. No other mitigations are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-10T15:40:10.481Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69b1c6312f860ef9436c35eb
Added to database: 3/11/2026, 7:44:49 PM
Last enriched: 4/3/2026, 12:21:20 PM
Last updated: 4/26/2026, 2:42:09 AM
Views: 150
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.