Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.4
Tornado cookie settings can be manipulated by attackers
GHSA-78cv-mqj4-43f7
Summary
Old versions of Tornado allowed attackers to inject malicious values into cookie settings. This could be used to trick users into accepting cookies from unauthorized domains. Update to Tornado 6.5.5 or later.
What to do
- Update tornado to version 6.5.5.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | tornado | <= 6.5.4 | 6.5.5 |
Original title
Tornado has incomplete validation of cookie attributes
Original description
Values passed to the `domain`, `path`, and `samesite` arguments of `RequestHandler.set_cookie` were not completely validated in versions of Tornado prior to 6.5.5. In particular, semicolons would be allowed, which could be used to inject attacker-controlled values for other cookie attributes.
ghsa CVSS3.1
5.4
Vulnerability type
CWE-74
Injection
Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026