SecBoard
Zurück zur CVE-Übersicht

CVE-2026-49855

HIGH(7.5)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Risk Signal Score29/100 — MITTEL
  • CVSS 7.5 — Hoch
  • Weniger als 24 Stunden alt

Beschreibung

Tornado is a Python web framework and asynchronous networking library. Prior to 6.5.6, Tornado gzip decompression routines processed limited-size chunks but did not enforce an overall limit on accumulated decompressed chunks, allowing a malicious server accessed by SimpleAsyncHTTPClient or an HTTPServer configured with decompress_request=True to consume effectively unlimited memory. This issue is fixed in version 6.5.6.

GitHub Advisories

GHSA-mgf9-4vpg-hj56HIGH

tornado AsyncHTTPClient accumulates decompressed chunks without size limit (gzip bomb)

pip/tornado6.5.6
GitHub Advisory

Referenzen