GHSA-78cv-mqj4-43f7: Tornado has incomplete validation of cookie attributes

March 11, 2026

Values passed to the domain, path, and samesite arguments of RequestHandler.set_cookie were not completely validated in versions of Tornado prior to 6.5.5. In particular, semicolons would be allowed, which could be used to inject attacker-controlled values for other cookie attributes.

References

github.com/advisories/GHSA-78cv-mqj4-43f7
github.com/tornadoweb/tornado
github.com/tornadoweb/tornado/commit/24a2d96ea115f663b223887deb0060f13974c104
github.com/tornadoweb/tornado/releases/tag/v6.5.5
github.com/tornadoweb/tornado/security/advisories/GHSA-78cv-mqj4-43f7

Code Behaviors & Features

Detect and mitigate GHSA-78cv-mqj4-43f7 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →