Skip to content

chore(deps): update dependency tornado to v6.5.5 [security]#735

Merged
dkropachev merged 1 commit into
masterfrom
renovate/pypi-tornado-vulnerability
Mar 31, 2026
Merged

chore(deps): update dependency tornado to v6.5.5 [security]#735
dkropachev merged 1 commit into
masterfrom
renovate/pypi-tornado-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Mar 12, 2026

Copy link
Copy Markdown

This PR contains the following updates:

Package Change Age Confidence
tornado (source) 6.5.26.5.5 age confidence

GitHub Vulnerability Alerts

GHSA-78cv-mqj4-43f7

Values passed to the domain, path, and samesite arguments of RequestHandler.set_cookie were not completely validated in versions of Tornado prior to 6.5.5. In particular, semicolons would be allowed, which could be used to inject attacker-controlled values for other cookie attributes.

CVE-2026-31958

In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts.

Tornado 6.5.5 introduces new limits on the size and complexity of multipart bodies, including a default limit of 100 parts per request. These limits are configurable if needed; see tornado.httputil.ParseMultipartConfig. It is also now possible to disable multipart/form-data parsing entirely if it is not required for the application.


Release Notes

tornadoweb/tornado (tornado)

v6.5.5

Compare Source

v6.5.4

Compare Source

v6.5.3

Compare Source


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot changed the title chore(deps): update dependency tornado to v6.5.5 [security] chore(deps): update dependency tornado to v6.5.5 [security] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot deleted the renovate/pypi-tornado-vulnerability branch March 27, 2026 02:04
@renovate renovate Bot changed the title chore(deps): update dependency tornado to v6.5.5 [security] - autoclosed chore(deps): update dependency tornado to v6.5.5 [security] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/pypi-tornado-vulnerability branch 2 times, most recently from a9f22b8 to 50d1555 Compare March 30, 2026 18:01
@dkropachev dkropachev merged commit ad12bed into master Mar 31, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant