CVE-2026-49855 - High Severity Vulnerability
Vulnerable Library - tornado-5.1.1.tar.gz
Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.
Library home page: https://files.pythonhosted.org/packages/e6/78/6e7b5af12c12bdf38ca9bfe863fcaf53dc10430a312d0324e76c1e5ca426/tornado-5.1.1.tar.gz
Path to dependency file: /tmp/ws-ua_20220122232947_MZFNWS/archiveExtraction_KXRZMM/PZSZKX/20220122232947/codechung_depth_0/awscli-bundle/packages/urllib3-1.25.10.tar/urllib3-1.25.10/dev-requirements.txt
Path to vulnerable library: /awscli-bundle/packages/urllib3-1.25.10.tar/urllib3-1.25.10/dev-requirements.txt,/awscli-bundle/awscli-bundle/packages/urllib3-1.25.7.tar/urllib3-1.25.7/dev-requirements.txt,/awscli-bundle/awscli-bundle/packages/urllib3-1.25.10.tar/urllib3-1.25.10/dev-requirements.txt,/awscli-bundle/awscli-bundle/packages/urllib3-1.25.7.tar/urllib3-1.25.7/docs/requirements.txt,/awscli-bundle/packages/urllib3-1.25.10.tar/urllib3-1.25.10/docs/requirements.txt,/awscli-bundle/packages/urllib3-1.25.7.tar/urllib3-1.25.7/docs/requirements.txt,/awscli-bundle/awscli-bundle/packages/urllib3-1.25.10.tar/urllib3-1.25.10/docs/requirements.txt,/awscli-bundle/packages/urllib3-1.25.7.tar/urllib3-1.25.7/dev-requirements.txt
Dependency Hierarchy:
- ❌ tornado-5.1.1.tar.gz (Vulnerable Library)
Found in HEAD commit: de1c2b0d1a23367b161c2d995029f9693bd8a155
Found in base branch: master
Vulnerability Details
Tornado's gzip decompression routines work in limited-size chunks, but have no overall limit for the total size of decompressed chunks that they will accumulate (There has always been a limit for the total compressed size). This allows a malicious server to consume effectively unlimited amounts of memory if it is accessed via SimpleAsyncHTTPClient in its default configuration. "HTTPServer" is not affected in its default configuration, but it is if "decompress_request=True" is set. This bug is fixed in Tornado 6.5.6. "max_body_size" is now checked both for the compressed and cumulative decompressed size of the response. Prior to upgrading, this issue can be mitigated by setting "decompress_response=False" or using "CurlAsyncHTTPClient".
Publish Date: 2026-06-15
URL: CVE-2026-49855
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-mgf9-4vpg-hj56
Release Date: 2026-06-15
Fix Resolution: 6.5.6
Step up your Open Source Security Game with Mend here
CVE-2026-49855 - High Severity Vulnerability
Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.
Library home page: https://files.pythonhosted.org/packages/e6/78/6e7b5af12c12bdf38ca9bfe863fcaf53dc10430a312d0324e76c1e5ca426/tornado-5.1.1.tar.gz
Path to dependency file: /tmp/ws-ua_20220122232947_MZFNWS/archiveExtraction_KXRZMM/PZSZKX/20220122232947/codechung_depth_0/awscli-bundle/packages/urllib3-1.25.10.tar/urllib3-1.25.10/dev-requirements.txt
Path to vulnerable library: /awscli-bundle/packages/urllib3-1.25.10.tar/urllib3-1.25.10/dev-requirements.txt,/awscli-bundle/awscli-bundle/packages/urllib3-1.25.7.tar/urllib3-1.25.7/dev-requirements.txt,/awscli-bundle/awscli-bundle/packages/urllib3-1.25.10.tar/urllib3-1.25.10/dev-requirements.txt,/awscli-bundle/awscli-bundle/packages/urllib3-1.25.7.tar/urllib3-1.25.7/docs/requirements.txt,/awscli-bundle/packages/urllib3-1.25.10.tar/urllib3-1.25.10/docs/requirements.txt,/awscli-bundle/packages/urllib3-1.25.7.tar/urllib3-1.25.7/docs/requirements.txt,/awscli-bundle/awscli-bundle/packages/urllib3-1.25.10.tar/urllib3-1.25.10/docs/requirements.txt,/awscli-bundle/packages/urllib3-1.25.7.tar/urllib3-1.25.7/dev-requirements.txt
Dependency Hierarchy:
Found in HEAD commit: de1c2b0d1a23367b161c2d995029f9693bd8a155
Found in base branch: master
Tornado's gzip decompression routines work in limited-size chunks, but have no overall limit for the total size of decompressed chunks that they will accumulate (There has always been a limit for the total compressed size). This allows a malicious server to consume effectively unlimited amounts of memory if it is accessed via SimpleAsyncHTTPClient in its default configuration. "HTTPServer" is not affected in its default configuration, but it is if "decompress_request=True" is set. This bug is fixed in Tornado 6.5.6. "max_body_size" is now checked both for the compressed and cumulative decompressed size of the response. Prior to upgrading, this issue can be mitigated by setting "decompress_response=False" or using "CurlAsyncHTTPClient".
Publish Date: 2026-06-15
URL: CVE-2026-49855
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: GHSA-mgf9-4vpg-hj56
Release Date: 2026-06-15
Fix Resolution: 6.5.6
Step up your Open Source Security Game with Mend here