CVE-2026-49855info

Summary

by MITRE • 07/14/2026

Tornado is a Python web framework and asynchronous networking library. Prior to 6.5.6, Tornado gzip decompression routines processed limited-size chunks but did not enforce an overall limit on accumulated decompressed chunks, allowing a malicious server accessed by SimpleAsyncHTTPClient or an HTTPServer configured with decompress_request=True to consume effectively unlimited memory. This issue is fixed in version 6.5.6.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/14/2026

The vulnerability in Tornado web framework affects versions prior to 6.5.6 and relates to gzip decompression functionality that can lead to memory exhaustion attacks. This flaw exists within the asynchronous networking library's handling of compressed data, specifically when processing gzip-encoded content through SimpleAsyncHTTPClient or HTTPServer configurations with decompress_request=True enabled. The issue stems from inadequate bounds checking during decompression operations where the system processes data in limited-size chunks but fails to enforce overall limits on the total amount of decompressed data that can be accumulated. This design gap creates a potential denial-of-service scenario where an attacker can craft malicious responses containing compressed data that, when decompressed, consumes excessive memory resources on the target server.

The technical implementation of this vulnerability involves the gzip decompression routines not properly tracking or limiting the cumulative size of decompressed content across multiple chunks. When Tornado processes gzip-compressed data, it reads the compressed input in smaller chunks for efficiency but does not maintain a global limit on how much uncompressed data can be generated from the decompression process. This allows an attacker to send carefully crafted compressed payloads that, when decompressed, expand to enormous sizes while consuming memory at a rate that can quickly exhaust available system resources. The vulnerability specifically impacts systems using SimpleAsyncHTTPClient which is designed for asynchronous HTTP requests and HTTPServer configurations where automatic decompression of request bodies is enabled through the decompress_request=True parameter.

From an operational perspective, this vulnerability presents a significant risk to applications relying on Tornado's HTTP client and server components, particularly those handling untrusted external data. The impact extends beyond simple resource exhaustion as it can lead to complete service disruption, application crashes, or system instability when memory consumption reaches critical levels. Attackers can exploit this weakness without requiring authentication or special privileges, making it particularly dangerous in environments where applications process external HTTP responses or serve compressed content. The vulnerability affects both client-side operations when making requests and server-side processing when accepting compressed requests, creating multiple attack vectors for potential exploitation.

Security practitioners should prioritize upgrading affected Tornado installations to version 6.5.6 or later to address this memory exhaustion vulnerability. Organizations using older versions should implement network-level controls such as rate limiting and connection timeouts to mitigate potential exploitation attempts while planning the upgrade. The fix implemented in version 6.5.6 addresses the core issue by enforcing proper limits on accumulated decompressed data, preventing attackers from consuming unlimited memory through crafted gzip payloads. This vulnerability aligns with CWE-400 which covers "Uncontrolled Resource Consumption" and demonstrates the importance of implementing proper bounds checking in decompression routines as specified in security best practices for web frameworks. The ATT&CK framework categorizes this issue under privilege escalation and denial-of-service tactics, as attackers can leverage it to disrupt services or potentially gain unauthorized access through system instability caused by resource exhaustion attacks.

Disclosure

07/14/2026

Moderation

in review

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!