CVE-2026-31958
Received Received - Intake
Denial of Service in Tornado Multipart Parser Before

Publication date: 2026-03-11

Last updated on: 2026-04-01

Assigner: GitHub, Inc.

Description
Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. This vulnerability is fixed in 6.5.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-04-01
Generated
2026-06-16
AI Q&A
2026-03-11
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31958
EUVD
EUVD-2026-11323
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tornadoweb tornado to 6.5.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-31958 is a denial-of-service (DoS) vulnerability in Tornado versions up to 6.5.4 caused by insufficient limits on multipart/form-data parsing.

Before version 6.5.5, Tornado only limited the total request body size via the max_body_size setting (default 100MB) but did not restrict the number of multipart parts.

Since multipart parsing occurs synchronously on the main thread, an attacker can exploit this by sending a request with an excessive number of multipart parts, causing high CPU usage and blocking the server, leading to denial-of-service.

The vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption) and is rated with high severity.

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can impact you by allowing an attacker to cause a denial-of-service (DoS) condition on your Tornado server.'}, {'type': 'paragraph', 'content': "By sending a request with an excessive number of multipart parts, the attacker can cause high CPU usage and block the server's main thread, making the server unresponsive to legitimate requests."}, {'type': 'paragraph', 'content': 'This can lead to service outages and degraded availability of your web application or service.'}] [1]

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by monitoring for unusually high CPU usage or server blocking caused by requests containing an excessive number of multipart/form-data parts.

Specifically, you can look for HTTP requests with a large number of multipart parts that exceed the default or configured limits.

While no specific commands are provided in the resources, you can use network monitoring tools or web server logs to identify requests with many multipart parts.

  • Use packet capture tools like tcpdump or Wireshark to capture HTTP traffic and analyze multipart/form-data requests.
  • Check web server access logs for requests with large Content-Length headers or suspicious multipart boundaries.
  • Monitor server CPU usage and thread blocking during high traffic to detect potential DoS caused by multipart parsing.
Mitigation Strategies

To mitigate this vulnerability immediately, upgrade Tornado to version 6.5.5 or later, where the issue is fixed.

Version 6.5.5 introduces configurable limits on multipart body size and complexity, including a default maximum of 100 parts per request.

If multipart/form-data parsing is not needed, it can be disabled entirely to prevent exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31958. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart