CVE-2026-31958: Tornado has a DoS due to too many multipart parts
In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the maxbodysize setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts.
Tornado 6.5.5 introduces new limits on the size and complexity of multipart bodies, including a default limit of 100 parts per request. These limits are configurable if needed; see tornado.httputil.ParseMultipartConfig. It is also now possible to disable multipart/form-data parsing entirely if it is not required for the application.
Other sources
Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the maxbodysize setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. This vulnerability is fixed in 6.5.5.
— MITRE
Affected Software
Event History
Frequently Asked Questions
What is the severity of CVE-2026-31958?
CVE-2026-31958 is classified as a Denial of Service (DoS) vulnerability.
How do I fix CVE-2026-31958?
To mitigate CVE-2026-31958, upgrade Tornado to version 6.5.5 or later.
What causes CVE-2026-31958?
CVE-2026-31958 is caused by an insufficient limit on the number of parts in multipart/form-data requests.
Which versions of Tornado are affected by CVE-2026-31958?
Tornado versions prior to 6.5.5 are affected by CVE-2026-31958.
What is Tornado?
Tornado is a Python web framework and asynchronous networking library used for building web applications.