CNNVD-202512-2394 Information
CNNVD ID
CNNVD-202512-2394
Related CVE
- CNNVD Published: 2025-12-12
Description (Chinese)
Tornado是中国龙卷风科技(Tornado)社区的一个Python Web框架和异步网络库。该库通过使用非阻塞网络I / O,可以扩展到成千上万的开放连接,使其非常适合 长时间轮询, WebSocket和其他需要与每个用户建立长期连接的应用程序。 Tornado 6.5.2及之前版本存在安全漏洞,该漏洞源于HTTP头中未转义reason短语,可能导致头注入或跨站脚本攻击。
Description (English)
Tornado is a Python Web framework and a walk-in network library for the Tornado community in China. By using a non-stop network I/O, the library can extend to thousands of open connections, making it well suited to long-duration rotations, WebSocket and other applications that require long-term connectivity with each user. Tornado 6.5.2 and earlier versions had a security loophole, which originated from the untransformed reason phrase in the head of HTTP and could lead to head injections or cross-script attacks.
Hazard Level
High
Vulnerability Type
其他
Affected Vendor
龙卷风科技
Published
2025-12-12
Last Modified
2026-02-24
References
https://github.com/tornadoweb/tornado/commit/9c163aebeaad9e6e7d28bac1f33580eb00b0e421 https://github.com/tornadoweb/tornado/releases/tag/v6.5.3 https://github.com/tornadoweb/tornado/security/advisories/GHSA-pr2v-jx2c-wg9f
Patch
https://github.com/tornadoweb/tornado/tags
Share on: