DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-78CV-MQJ4-43F7: GHSA-78cv-mqj4-43f7: HTTP Header Injection via Incomplete Cookie Attribute Validation in Tornado

#security #cve #cybersecurity #ghsa

GHSA-78cv-mqj4-43f7: HTTP Header Injection via Incomplete Cookie Attribute Validation in Tornado

Vulnerability ID: GHSA-78CV-MQJ4-43F7
CVSS Score: 6.5
Published: 2026-03-11

Tornado versions prior to v6.5.5 contain a vulnerability in the RequestHandler.set_cookie method where cookie attributes are not properly validated. This flaw permits attackers to inject control characters and semicolons, leading to HTTP header injection or unauthorized cookie attribute manipulation. The issue exposes web applications to session fixation, security flag overriding, and potential response splitting risks.

TL;DR

Tornado < 6.5.5 fails to sanitize semicolons and control characters in cookie attributes, enabling HTTP header injection and arbitrary cookie manipulation. Organizations must upgrade to v6.5.5.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Class: HTTP Header / Cookie Attribute Injection
  • CWE ID: CWE-113, CWE-159
  • Attack Vector: Network
  • Authentication Required: None
  • Exploit Status: PoC Available
  • Fixed Version: v6.5.5

Affected Systems

  • Tornado Web Framework
  • Applications utilizing Tornado's tornado.web.RequestHandler
  • Tornado: < 6.5.5 (Fixed in: 6.5.5)

Code Analysis

Commit: 24a2d96

Fix incomplete validation of cookie attributes by applying regex to domain, path, samesite, and name.

Mitigation Strategies

  • Upgrade Tornado to version 6.5.5 or newer.
  • Implement application-level input sanitization for all parameters passed to cookie creation methods.
  • Deploy WAF rules to detect and block structural delimiters like semicolons in input vectors destined for headers.

Remediation Steps:

  1. Identify all projects utilizing the Tornado framework.
  2. Update dependencies in requirements.txt or Pipfile to strictly enforce tornado>=6.5.5.
  3. Run the regression test suite to ensure the updated library does not break legitimate cookie handling.
  4. Audit application source code for direct mapping of user input to set_cookie attributes.

References

Read the full report for GHSA-78CV-MQJ4-43F7 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)