CVE-2026-31958: Tornado is vulnerable to DoS due to too many multipart parts
In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts.
Tornado 6.5.5 introduces new limits on the size and complexity of multipart bodies, including a default limit of 100 parts per request. These limits are configurable if needed; see tornado.httputil.ParseMultipartConfig. It is also now possible to disable multipart/form-data parsing entirely if it is not required for the application.
References
- github.com/advisories/GHSA-qjxf-f2mg-c6mc
- github.com/tornadoweb/tornado
- github.com/tornadoweb/tornado/commit/119a195e290c43ad2d63a2cf012c29d43d6ed839
- github.com/tornadoweb/tornado/releases/tag/v6.5.5
- github.com/tornadoweb/tornado/security/advisories/GHSA-qjxf-f2mg-c6mc
- nvd.nist.gov/vuln/detail/CVE-2026-31958
Code Behaviors & Features
Detect and mitigate CVE-2026-31958 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →