Tornado Denial-of-Service Vulnerability in Multipart Form-Data Processing

A denial-of-service vulnerability has been identified in the Tornado web framework, specifically in versions prior to 6.5.5. The issue arises from the lack of a proper limit on the number of parts in multipart/form-data, with the only restriction being the max_body_size setting, which defaults to 100MB. This limitation allows for the possibility of denial-of-service attacks, as parsing large multipart bodies with many parts can be resource-intensive and disrupt normal application performance. The vulnerability is exacerbated by the fact that parsing is done synchronously on the main thread, creating a potential bottleneck.

Impact

Exploitation of this vulnerability can lead to a denial-of-service condition, where the application becomes unresponsive or significantly slower due to the overhead of processing large multipart bodies with numerous parts.

Remediation

Users can upgrade to Tornado version 6.5.5 or later, where this vulnerability has been addressed. Tornado 6.5.5 introduces new default limits on the size and complexity of multipart bodies, including a cap of 100 parts per request. For applications that do not require multipart/form-data parsing, this feature can be disabled entirely.