Do Son 
The maintainers of Tornado have fixed three Tornado security vulnerabilities in a single update. The popular Python web framework powers high-concurrency apps like WebSockets and long polling. As a result, the flaws touch a wide range of asynchronous services.
Credentials leaking across origins
The most serious issue is CVE-2026-49853, rated 7.7. When SimpleAsyncHTTPClient follows a redirect to a new origin, it keeps the original Authorization header. Consequently, credentials meant for one site can leak to another.
Because follow_redirects is on by default, many apps are exposed. Now Tornado strips the Authorization and Cookie headers whenever a redirect changes the scheme, host, or port.
A gzip bomb and a memory leak
The second flaw, CVE-2026-49855 (CVSS 7.5), is a classic gzip bomb. Tornado’s client decompressed response chunks without any overall size cap. Therefore, a malicious server could exhaust memory and crash the process. The fix now checks both the compressed and decompressed limits.
Finally, CVE-2026-49854 (CVSS 5.3) sits in the optional native extension. Its websocket_mask function read four bytes without checking the mask length. As a result, it could expose a few bytes of uninitialized memory through the XSRF token decoder.
What to do
Update now. All three Tornado security vulnerabilities are resolved in the Tornado 6.5.6 release, so upgrading is the cleanest fix.
If you cannot patch immediately, several mitigations help. For the gzip bomb, set decompress_response=False or switch to CurlAsyncHTTPClient. Meanwhile, disabling the native extension with TORNADO_EXTENSION=0 blocks the memory-read bug. Above all, treat the credential-leak flaw as the top priority.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
