Skip to content

chore(deps): update dependency tornado to v6.5.5 [security] - autoclosed#472

Closed
renovate[bot] wants to merge 1 commit intomainfrom
renovate/pypi-tornado-vulnerability
Closed

chore(deps): update dependency tornado to v6.5.5 [security] - autoclosed#472
renovate[bot] wants to merge 1 commit intomainfrom
renovate/pypi-tornado-vulnerability

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Mar 12, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
tornado (source) 6.5.26.5.5 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

GHSA-78cv-mqj4-43f7

Values passed to the domain, path, and samesite arguments of RequestHandler.set_cookie were not completely validated in versions of Tornado prior to 6.5.5. In particular, semicolons would be allowed, which could be used to inject attacker-controlled values for other cookie attributes.

CVE-2026-31958

In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts.

Tornado 6.5.5 introduces new limits on the size and complexity of multipart bodies, including a default limit of 100 parts per request. These limits are configurable if needed; see tornado.httputil.ParseMultipartConfig. It is also now possible to disable multipart/form-data parsing entirely if it is not required for the application.

Release Notes

tornadoweb/tornado (tornado)

v6.5.5

Compare Source

v6.5.4

Compare Source

v6.5.3

Compare Source

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added bot Automated pull requests or issues dependencies Pull requests that update a dependency file renovate Pull requests from Renovate skip:codecov Skip Codecov reporting and check skip:test:long_running Skip long-running tests (≥5min) labels Mar 12, 2026
@sonarqubecloud
Copy link

sonarqubecloud bot commented Mar 12, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@renovate renovate bot changed the title chore(deps): update dependency tornado to v6.5.5 [security] chore(deps): update dependency tornado to v6.5.5 [security] - autoclosed Mar 13, 2026
@renovate renovate bot closed this Mar 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@helmut-hoffer-von-ankershoffen helmut-hoffer-von-ankershoffen Awaiting requested review from helmut-hoffer-von-ankershoffen helmut-hoffer-von-ankershoffen is a code owner

Assignees

No one assigned

Labels

bot Automated pull requests or issues dependencies Pull requests that update a dependency file renovate Pull requests from Renovate skip:codecov Skip Codecov reporting and check skip:test:long_running Skip long-running tests (≥5min)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants