CVE-2026-31958
Denial of Service in Tornado Multipart Parser Before
Publication date: 2026-03-11
Last updated on: 2026-04-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tornadoweb | tornado | to 6.5.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-31958 is a denial-of-service (DoS) vulnerability in Tornado versions up to 6.5.4 caused by insufficient limits on multipart/form-data parsing.
Before version 6.5.5, Tornado only limited the total request body size via the max_body_size setting (default 100MB) but did not restrict the number of multipart parts.
Since multipart parsing occurs synchronously on the main thread, an attacker can exploit this by sending a request with an excessive number of multipart parts, causing high CPU usage and blocking the server, leading to denial-of-service.
The vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption) and is rated with high severity.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can impact you by allowing an attacker to cause a denial-of-service (DoS) condition on your Tornado server.'}, {'type': 'paragraph', 'content': "By sending a request with an excessive number of multipart parts, the attacker can cause high CPU usage and block the server's main thread, making the server unresponsive to legitimate requests."}, {'type': 'paragraph', 'content': 'This can lead to service outages and degraded availability of your web application or service.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusually high CPU usage or server blocking caused by requests containing an excessive number of multipart/form-data parts.
Specifically, you can look for HTTP requests with a large number of multipart parts that exceed the default or configured limits.
While no specific commands are provided in the resources, you can use network monitoring tools or web server logs to identify requests with many multipart parts.
- Use packet capture tools like tcpdump or Wireshark to capture HTTP traffic and analyze multipart/form-data requests.
- Check web server access logs for requests with large Content-Length headers or suspicious multipart boundaries.
- Monitor server CPU usage and thread blocking during high traffic to detect potential DoS caused by multipart parsing.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade Tornado to version 6.5.5 or later, where the issue is fixed.
Version 6.5.5 introduces configurable limits on multipart body size and complexity, including a default maximum of 100 parts per request.
If multipart/form-data parsing is not needed, it can be disabled entirely to prevent exploitation.