CVE-2026-31958
Published: 11 March 2026
Summary
CVE-2026-31958 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Tornadoweb Tornado. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 29.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-31958 is a denial-of-service vulnerability in Tornado, a Python web framework and asynchronous networking library, affecting versions prior to 6.5.5. The issue arises because there is no dedicated limit on the number of parts in multipart/form-data requests beyond the max_body_size setting, which defaults to 100MB. Parsing of these multipart bodies occurs synchronously on the main thread, resulting in high computational costs when processing large bodies with many parts, as documented in CWE-400 (Uncontrolled Resource Consumption).
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating it is exploitable remotely over the network by unauthenticated attackers with low complexity and no user interaction. An attacker can send a crafted multipart/form-data request containing numerous parts while staying within the body size limit, forcing the server to expend excessive resources on synchronous parsing and causing denial of service through CPU exhaustion on the main thread.
Tornado version 6.5.5 resolves this vulnerability. Security advisories recommend upgrading to 6.5.5 or later. Key references include the GitHub security advisory at https://github.com/tornadoweb/tornado/security/advisories/GHSA-qjxf-f2mg-c6mc and the Debian LTS announcement at https://lists.debian.org/debian-lts-announce/2026/04/msg00000.html.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-11323
Vulnerability details
Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main…
more
thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. This vulnerability is fixed in 6.5.5.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote unauthenticated vulnerability (CWE-400) that is directly exploited by sending a crafted multipart/form-data request to trigger synchronous CPU exhaustion on the main thread, mapping exactly to application/system exploitation for endpoint DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely patching to Tornado 6.5.5 directly remediates the vulnerability by implementing a dedicated limit on multipart/form-data parts.
Denial-of-service protections limit the impact of CPU exhaustion from synchronous parsing of large multipart bodies with many parts.
Restrictions on the quantity of information inputs enforce limits on the number of parts in multipart/form-data requests to prevent resource consumption.