Tornado: Large Multipart Files Can Cause Server Crash

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

8.7

Tornado: Large Multipart Files Can Cause Server Crash

CVE-2026-31958 GHSA-qjxf-f2mg-c6mc

Summary

Tornado servers can crash if they receive a large file with many parts, which could disrupt service. This affects servers running old versions of Tornado. To protect your server, update to Tornado 6.5.5 or higher, and consider adjusting the configuration to limit multipart file sizes and complexity.

What to do

Update tornado to version 6.5.5.

Affected software

Vendor	Product	Affected versions	Fix available
–	tornado	<= 6.5.4	6.5.5

Original title

Tornado is vulnerable to DoS due to too many multipart parts

Original description

In versions of Tornado prior to 6.5.5, the only limit on the number of parts in `multipart/form-data` is the `max_body_size` setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts.

Tornado 6.5.5 introduces new limits on the size and complexity of multipart bodies, including a default limit of 100 parts per request. These limits are configurable if needed; see `tornado.httputil.ParseMultipartConfig`. It is also now possible to disable `multipart/form-data` parsing entirely if it is not required for the application.

nvd CVSS4.0 8.7

Vulnerability type

CWE-400 Uncontrolled Resource Consumption

Published: 12 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026