What’s new in Tornado 6.5.3

Dec 10, 2025

Security fixes

• Fixed a denial-of-service vulnerability involving quadratic computation when parsing multipart/form-data request bodies. CVE-2025-67726 Thanks to Finder16 for reporting this issue.

• Fixed a denial-of-service vulnerability involving quadratic computation when parsing repeated HTTP headers. CVE-2025-67725. Thanks to Finder16 for reporting this issue.

• Fixed a header injection and XSS vulnerability involving the reason argument to RequestHandler.set_status and tornado.web.HTTPError. CVE-2025-67724. Thanks to Finder16 and Cheshire1225 for reporting this issue.

Demo changes

• Several demo applications bundled with the Tornado repo (blog, chat, facebook) had an open redirect vulnerability which has been fixed. This is not covered by a CVE or security advisory since the demo applications are not included as a part of the Tornado package when installed, but developers who have copied code from these demos may which to review their own applications for open redirects. Thanks to J1vvoo for reporting this issue.

• The s3server demo application contained some path traversal vulnerabilities. Since this demo application was not demonstrating any interesting aspects of Tornado, it has been deleted rather than being fixed. Thanks to J1vvoo for reporting this issue.