Main Vulnerability Database Vulnerabilities #VU128144

Input validation error in Tornado - #VU128144

Published: June 6, 2024 / Updated: April 27, 2026

Vulnerability identifier: #VU128144

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Tornado

Software vendor:
Tornado

Description

The vulnerability allows a remote attacker to inject arbitrary headers into outbound requests or cause the application to send arbitrary requests to the specified server.

The vulnerability exists due to improper input validation in curl_httpclient.CurlAsyncHTTPClient when processing attacker-controlled request headers. A remote attacker can supply a crafted header value containing CRLF characters to inject arbitrary headers into outbound requests or cause the application to send arbitrary requests to the specified server.

This issue affects applications that include untrusted header data in requests sent through this client and may facilitate server-side request forgery scenarios.

Remediation

Install security update from vendor's website.

External links

https://github.com/tornadoweb/tornado/security/advisories/GHSA-w235-7p84-xx57

Input validation error in Tornado - #VU128144

Description

Remediation

External links

Please verify you're human