๐Ÿ” CVE Alert

CVE-2026-49855

HIGH 7.5

tornado AsyncHTTPClient accumulates decompressed chunks without size limit (gzip bomb)

CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
0th

Tornado is a Python web framework and asynchronous networking library. Prior to 6.5.6, Tornado gzip decompression routines processed limited-size chunks but did not enforce an overall limit on accumulated decompressed chunks, allowing a malicious server accessed by SimpleAsyncHTTPClient or an HTTPServer configured with decompress_request=True to consume effectively unlimited memory. This issue is fixed in version 6.5.6.

CWE CWE-409
Vendor tornadoweb
Product tornado
Published Jul 14, 2026
Stay Ahead of the Next One

Get instant alerts for tornadoweb tornado

Be the first to know when new high vulnerabilities affecting tornadoweb tornado are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Affected Versions

tornadoweb / tornado
< 6.5.6

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/tornadoweb/tornado/security/advisories/GHSA-mgf9-4vpg-hj56 github.com: https://github.com/tornadoweb/tornado/pull/3626 github.com: https://github.com/tornadoweb/tornado/commit/ff808b33adc52d89a549376a5e3628e92abbc8ff