Skip to content

fix(deps): vuln tornado (major → 6.5.5) #3966

Open
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit intomasterfrom
engraver-auto-version-upgrade/major/pip/2-1775091282
Open

fix(deps): vuln tornado (major → 6.5.5) #3966
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit intomasterfrom
engraver-auto-version-upgrade/major/pip/2-1775091282

Conversation

@gh-worker-campaigns-3e9aa4
Copy link
Copy Markdown

@gh-worker-campaigns-3e9aa4 gh-worker-campaigns-3e9aa4 bot commented Apr 2, 2026

Summary: High-severity security update — 1 package upgraded (MAJOR changes included)

Manifests changed:

  • . (pip)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

Updates

Package From To Type Vulnerabilities Fixed
tornado 3.2.2 6.5.5 major 6 HIGH, 5 MODERATE, 2 MEDIUM

Warning

Major Version Upgrade

This update includes major version changes that may contain breaking changes. Please:

  • Review the changelog/release notes for breaking changes
  • Test thoroughly in a staging environment
  • Update any code that depends on changed APIs
  • Ensure all tests pass before merging

Security Details

🚨 Critical & High Severity (6 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
tornado GHSA-8w49-h785-mj3c HIGH Tornado has an HTTP cookie parsing DoS vulnerability 3.2.2 6.4.2
tornado CVE-2026-31958 HIGH Tornado has a DoS due to too many multipart parts 3.2.2 -
tornado GHSA-qjxf-f2mg-c6mc HIGH Tornado is vulnerable to DoS due to too many multipart parts 3.2.2 6.5.5
tornado CVE-2024-52804 HIGH Tornado has HTTP cookie parsing DoS vulnerability 3.2.2 -
tornado GHSA-7cx3-6m66-7c5m HIGH Tornado vulnerable to excessive logging caused by malformed multipart form data 3.2.2 6.5
tornado CVE-2025-47287 HIGH Tornado vulnerable to excessive logging caused by malformed multipart form data 3.2.2 -
ℹ️ Other Vulnerabilities (7)
Package CVE Severity Summary Unsafe Version Fixed In
tornado PYSEC-2023-75 medium - 3.2.2 6.3.2
tornado CVE-2023-28370 medium - 3.2.2 -
tornado GHSA-hj3f-6gcp-jg8j MODERATE Open redirect in Tornado 3.2.2 6.3.2
tornado GHSA-qppv-j76h-2rpx MODERATE Tornado vulnerable to HTTP request smuggling via improper parsing of Content-Length fields and chunk lengths 3.2.2 6.3.3
tornado GHSA-w235-7p84-xx57 MODERATE Tornado has a CRLF injection in CurlAsyncHTTPClient headers 3.2.2 6.4.1
tornado GHSA-753j-mpmx-qq6g MODERATE Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in tornado 3.2.2 6.4.1
tornado GHSA-78cv-mqj4-43f7 MODERATE Tornado has incomplete validation of cookie attributes 3.2.2 6.5.5
⚠️ Dependencies that have Reached EOL (1)
Dependency Unsafe Version EOL Date New Version Path
tornado 3.2.2 - 6.5.5 requirements.txt

Review Checklist

Extra review is recommended for this update:

  • Review changes for compatibility with your code
  • Check release notes for breaking changes
  • Run integration tests to verify service behavior
  • Test in staging environment before production
  • Monitor key metrics after deployment
  • Approve and merge this PR

Update Mode: Vulnerability Remediation (High)

🤖 Generated by DataDog Automated Dependency Management System

@campaigner-prod campaigner-prod bot marked this pull request as ready for review April 2, 2026 14:38
@campaigner-prod campaigner-prod bot requested a review from a team as a code owner April 2, 2026 14:38
@campaigner-prod campaigner-prod bot requested a review from pgimalac April 2, 2026 14:38
@pgimalac pgimalac removed their request for review April 3, 2026 09:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

adms-dependency-update adms-fixes-eol adms-high-severity adms-major-update adms-medium-severity adms-mode-all-updates adms-python campaigner-automated-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants