Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Network-reachable malicious server, no privileges or interaction, low complexity; impact is memory exhaustion only, so C:N/I:N/A:H and no scope change.
Primary rating from Vendor (https://github.com/tornadoweb/tornado).
CVSS VectorVendor: https://github.com/tornadoweb/tornado
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2Blast Radius
ecosystem impact- 1 pypi packages depend on tornado (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 6.5.6.
DescriptionCVE.org
Tornado's gzip decompression routines work in limited-size chunks, but have no overall limit for the total size of decompressed chunks that they will accumulate (There has always been a limit for the total *compressed* size). This allows a malicious server to consume effectively unlimited amounts of memory if it is accessed via SimpleAsyncHTTPClient in its default configuration. HTTPServer is not affected in its default configuration, but it is if decompress_request=True is set.
This bug is fixed in Tornado 6.5.6. max_body_size is now checked both for the compressed and cumulative decompressed size of the response.
Prior to upgrading, this issue can be mitigated by setting decompress_response=False or using CurlAsyncHTTPClient.
AnalysisAI
Denial of service in Tornado web framework versions prior to 6.5.6 allows a malicious HTTP server to exhaust client memory through a gzip decompression bomb against SimpleAsyncHTTPClient in its default configuration. The flaw stems from missing cumulative size enforcement on decompressed response bodies; HTTPServer is also vulnerable when explicitly configured with decompress_request=True. No public exploit identified at time of analysis, though the technique (gzip bomb) is well-understood and trivial to weaponize.
Technical ContextAI
Tornado is a widely-used Python asynchronous networking library and web framework (pkg:pip/tornado) that ships SimpleAsyncHTTPClient for outbound HTTP and HTTPServer for inbound requests. The root cause maps to CWE-409 (Improper Handling of Highly Compressed Data, a.k.a. data amplification / decompression bomb): the gzip routines decompress in bounded chunks and enforce max_body_size against the compressed byte stream, but never tally the cumulative decompressed output. A small, high-ratio gzip stream (megabytes compressed expanding to gigabytes) therefore bypasses the existing limit. The fix in 6.5.6 extends max_body_size enforcement to both the compressed and the cumulative decompressed total.
RemediationAI
Upstream fix available: upgrade to Tornado 6.5.6, where max_body_size is now enforced against both the compressed and the cumulative decompressed response size (vendor advisory: https://github.com/tornadoweb/tornado/security/advisories/GHSA-mgf9-4vpg-hj56). If an immediate upgrade is not possible, mitigate on the client side by setting decompress_response=False on SimpleAsyncHTTPClient - the trade-off is that callers receive raw gzip bytes and must decompress themselves with their own size cap - or switch to CurlAsyncHTTPClient, which relies on libcurl's decompression and is not affected (trade-off: an additional libcurl/pycurl runtime dependency and slightly different behavior/options). On the server side, leave decompress_request at its default (False) until patched, accepting that gzip-encoded request bodies will not be transparently decompressed.
Same technique Information Disclosure
View allVendor StatusVendor
SUSE
| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44505
GHSA-mgf9-4vpg-hj56