CVE-2026-31958 Overview
CVE-2026-31958 is a Denial of Service vulnerability in Tornado, a Python web framework and asynchronous networking library. In versions prior to 6.5.5, the framework imposes no limit on the number of parts in multipart/form-data requests beyond the max_body_size setting (default 100MB). Since multipart parsing occurs synchronously on the main thread, attackers can cause denial-of-service by sending requests with an excessive number of parts, exhausting server resources during the parsing process.
Critical Impact
Unauthenticated attackers can exploit this vulnerability remotely to cause denial of service on Tornado web applications by sending specially crafted multipart/form-data requests with many parts, causing resource exhaustion on the main thread.
Affected Products
- Tornado versions prior to 6.5.5
- Python web applications using Tornado's multipart/form-data parsing
- Services accepting file uploads or form submissions via Tornado
Discovery Timeline
- 2026-03-11 - CVE-2026-31958 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-31958
Vulnerability Analysis
This vulnerability stems from a resource exhaustion weakness (CWE-400) in Tornado's multipart/form-data parsing implementation. The core issue is the absence of a dedicated limit on the number of individual parts within a multipart request. While Tornado enforces a max_body_size constraint (defaulting to 100MB), this limit only restricts the total size of the request body, not the number of discrete parts it contains.
The parsing operation is particularly problematic because it executes synchronously on the main event loop thread. In Tornado's asynchronous architecture, blocking the main thread during computationally expensive operations prevents the server from handling other requests, effectively creating a single point of failure. An attacker can exploit this by crafting a multipart request that stays within the size limit but contains thousands or millions of small parts, forcing the server to spend excessive CPU cycles parsing each boundary and header.
Root Cause
The root cause is inadequate input validation in the multipart parser. Specifically, Tornado lacks a configuration option or hardcoded limit to restrict the number of parts processed in a single multipart/form-data request. Combined with synchronous parsing on the main thread, this allows computationally expensive parsing operations to block the entire application.
Attack Vector
This vulnerability is exploitable over the network without authentication. An attacker can send a malicious HTTP POST request with the Content-Type: multipart/form-data header containing a body with an extremely high number of parts. Each part requires parsing of boundaries, headers, and content, creating cumulative processing overhead.
The attack is particularly effective because:
- No authentication is required to submit multipart requests to endpoints accepting form data
- The max_body_size limit can be satisfied while still including millions of tiny parts
- Synchronous parsing blocks the main event loop, affecting all concurrent requests
- The default 100MB limit allows substantial room for crafting malicious payloads
Detection Methods for CVE-2026-31958
Indicators of Compromise
- Unusual spikes in CPU utilization on servers running Tornado applications
- HTTP POST requests to form or upload endpoints with abnormally high Content-Length values
- Increased response times or timeouts on Tornado-powered web services
- Log entries showing multipart/form-data requests with unusual characteristics
Detection Strategies
- Monitor for POST requests with Content-Type: multipart/form-data that approach the max_body_size limit
- Implement request rate limiting on endpoints accepting multipart form submissions
- Configure web application firewalls to inspect and limit multipart boundary occurrences
- Deploy application performance monitoring to detect main thread blocking events
Monitoring Recommendations
- Set up alerts for sustained high CPU usage patterns on Tornado application servers
- Track request processing time metrics to identify parsing-related slowdowns
- Monitor network traffic for anomalous multipart request patterns
- Enable detailed logging for multipart parsing operations to identify abuse attempts
How to Mitigate CVE-2026-31958
Immediate Actions Required
- Upgrade Tornado to version 6.5.5 or later immediately
- Review all endpoints accepting multipart/form-data submissions for exposure
- Implement reverse proxy rate limiting for POST requests to affected endpoints
- Consider temporary reduction of max_body_size to limit attack surface
Patch Information
This vulnerability is fixed in Tornado version 6.5.5. The fix introduces proper limits on the number of parts processed in multipart/form-data requests. Organizations should upgrade to this version or later as soon as possible. For detailed patch information, refer to the GitHub Security Advisory.
Workarounds
- Implement a reverse proxy (nginx, HAProxy) with request body inspection to reject requests with excessive multipart boundaries
- Configure aggressive max_body_size limits appropriate for your application's actual needs
- Deploy web application firewall rules to detect and block multipart abuse patterns
- Consider implementing application-level part counting and rejection logic before passing to Tornado's parser
# Example nginx configuration to limit request body size
# Add to server or location block for affected endpoints
client_max_body_size 10m;
client_body_buffer_size 128k;
# Rate limiting for POST requests
limit_req_zone $binary_remote_addr zone=upload_limit:10m rate=10r/s;
location /upload {
limit_req zone=upload_limit burst=20 nodelay;
# ... existing configuration
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
