Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Network-reachable redirect handling, low complexity; PR:L reflects attacker control of an upstream/redirect target; scope changes as credentials cross origins; confidentiality-only impact.
Primary rating from Vendor (https://github.com/tornadoweb/tornado).
CVSS VectorVendor: https://github.com/tornadoweb/tornado
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
2Blast Radius
ecosystem impact- 1 pypi packages depend on tornado (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 6.5.6.
DescriptionCVE.org
Summary
When SimpleAsyncHTTPClient follows a 3xx redirect, it shallow-copies the original HTTPRequest, rewrites the URL, decrements max_redirects, and removes only the Host header. It does not clear Authorization, auth_username, auth_password, or auth_mode when the redirect target changes origin.
As a result, credentials intended for one origin can be forwarded to a different origin when follow_redirects=True, which is the default.
Beginning in Tornado 6.5.6, SimpleAsyncHTTPClient matches the default behavior of libcurl (and therefore CurlAsyncHTTPClient): When a redirect changes the scheme, host, or port of the url, the Authorization and Cookie headers will be removed when following the redirect.
AnalysisAI
Credential leakage in Tornado's SimpleAsyncHTTPClient (versions prior to 6.5.6) allows sensitive Authorization headers and HTTP auth parameters to be forwarded to attacker-controlled origins during 3xx redirect handling. Because follow_redirects=True is the default behavior, any Tornado-based client making outbound HTTP requests with credentials may inadvertently disclose them to a redirect target on a different scheme, host, or port. No public exploit identified at time of analysis, and this issue is not listed in CISA KEV.
Technical ContextAI
Tornado is a widely deployed Python asynchronous networking framework and web server, and SimpleAsyncHTTPClient is its built-in HTTP client used for outbound requests. The flaw stems from how the client's redirect handler shallow-copies the original HTTPRequest, rewrites the URL, decrements max_redirects, and strips only the Host header - leaving Authorization, auth_username, auth_password, and auth_mode intact across origin changes. This maps to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor): credentials scoped to one origin cross a trust boundary into another. The fix in 6.5.6 aligns SimpleAsyncHTTPClient with libcurl's long-standing default behavior (also used by Tornado's CurlAsyncHTTPClient), stripping Authorization and Cookie headers whenever the redirect changes scheme, host, or port.
RemediationAI
Vendor-released patch: Tornado 6.5.6 - upgrade with pip install --upgrade tornado>=6.5.6, which makes SimpleAsyncHTTPClient strip Authorization and Cookie headers on cross-origin redirects, matching libcurl. If immediate upgrade is not possible, set follow_redirects=False on HTTPRequest objects that carry credentials and handle redirects manually so headers can be re-evaluated per hop (trade-off: callers must implement loop limits and redirect validation themselves); alternatively, switch to CurlAsyncHTTPClient, which already mirrors libcurl's safe redirect behavior (trade-off: adds a libcurl/pycurl dependency and slightly different feature surface). For services that proxy user-supplied URLs, additionally validate or allowlist redirect targets and avoid attaching long-lived bearer tokens to requests whose final destination is not pinned. Full advisory: https://github.com/tornadoweb/tornado/security/advisories/GHSA-3x9g-8vmp-wqvf.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44503
GHSA-3x9g-8vmp-wqvf