Update dependency tornado to v6.5.5 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
tornado (source)	==6.5.2 → ==6.5.5

---

Tornado has incomplete validation of cookie attributes

GHSA-78cv-mqj4-43f7

More information

Details

Values passed to the domain, path, and samesite arguments of RequestHandler.set_cookie were not completely validated in versions of Tornado prior to 6.5.5. In particular, semicolons would be allowed, which could be used to inject attacker-controlled values for other cookie attributes.

Severity

• CVSS Score: 5.4 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

References

• https://github.com/tornadoweb/tornado/security/advisories/GHSA-78cv-mqj4-43f7
• https://github.com/tornadoweb/tornado/commit/24a2d96ea115f663b223887deb0060f13974c104
• https://github.com/tornadoweb/tornado/releases/tag/v6.5.5
• https://github.com/advisories/GHSA-78cv-mqj4-43f7

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Tornado is vulnerable to DoS due to too many multipart parts

CVE-2026-31958 / GHSA-qjxf-f2mg-c6mc

More information

Details

In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts.

Tornado 6.5.5 introduces new limits on the size and complexity of multipart bodies, including a default limit of 100 parts per request. These limits are configurable if needed; see tornado.httputil.ParseMultipartConfig. It is also now possible to disable multipart/form-data parsing entirely if it is not required for the application.

Severity

• CVSS Score: 8.7 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

• https://github.com/tornadoweb/tornado/security/advisories/GHSA-qjxf-f2mg-c6mc
• https://nvd.nist.gov/vuln/detail/CVE-2026-31958
• https://github.com/tornadoweb/tornado/commit/119a195e290c43ad2d63a2cf012c29d43d6ed839
• https://github.com/tornadoweb/tornado/releases/tag/v6.5.5
• https://lists.debian.org/debian-lts-announce/2026/04/msg00000.html
• https://github.com/pypa/advisory-database/tree/main/vulns/tornado/PYSEC-2026-140.yaml
• https://github.com/advisories/GHSA-qjxf-f2mg-c6mc

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Tornado has cookie attribute injection via .RequestHandler.set_cookie

CVE-2026-35536 / GHSA-fqwm-6jpj-5wxc

More information

Details

In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters.

Severity

• CVSS Score: 7.2 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

References

• https://github.com/tornadoweb/tornado/security/advisories/GHSA-78cv-mqj4-43f7
• https://nvd.nist.gov/vuln/detail/CVE-2026-35536
• https://github.com/tornadoweb/tornado/releases/tag/v6.5.5
• https://github.com/advisories/GHSA-fqwm-6jpj-5wxc

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

tornadoweb/tornado (tornado)

v6.5.5

Compare Source

v6.5.4

Compare Source

v6.5.3

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.