Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.4
Tornado has incomplete validation of cookie attributes
GHSA-78cv-mqj4-43f7
Summary
Values passed to the `domain`, `path`, and `samesite` arguments of `RequestHandler.set_cookie` were not completely validated in versions of Tornado prior to 6.5.5. In particular, semicolons would be allowed, which could be used to inject attacker-controlled values for other cookie attributes.
What to do
- Update tornado to version 6.5.5.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | tornado | <= 6.5.5 | 6.5.5 |
Original title
Tornado has incomplete validation of cookie attributes
Original description
Values passed to the `domain`, `path`, and `samesite` arguments of `RequestHandler.set_cookie` were not completely validated in versions of Tornado prior to 6.5.5. In particular, semicolons would be allowed, which could be used to inject attacker-controlled values for other cookie attributes.
osv CVSS3.1
5.4
Vulnerability type
CWE-74
Injection
Published: 11 Mar 2026 · Updated: 14 Mar 2026 · First seen: 14 Mar 2026