CVE-2026-49855 PUBLISHED

tornado AsyncHTTPClient accumulates decompressed chunks without size limit (gzip bomb)

Assigner: GitHub_M
Reserved: 01.06.2026 Published: 14.07.2026 Updated: 14.07.2026

Tornado is a Python web framework and asynchronous networking library. Prior to 6.5.6, Tornado gzip decompression routines processed limited-size chunks but did not enforce an overall limit on accumulated decompressed chunks, allowing a malicious server accessed by SimpleAsyncHTTPClient or an HTTPServer configured with decompress_request=True to consume effectively unlimited memory. This issue is fixed in version 6.5.6.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 7.5

Product Status

Vendor tornadoweb
Product tornado
Versions
  • Version < 6.5.6 is affected

References

Problem Types

  • CWE-409: Improper Handling of Highly Compressed Data (Data Amplification) CWE