Primary

Context

Tornado Cookie Attribute Injection Vulnerability

Vulnerability

Patched

A cookie attribute injection vulnerability exists in Tornado versions prior to 6.5.5. The issue arises because the domain, path, and samesite arguments in the .RequestHandler.set_cookie method were not properly validated, allowing crafted characters to be injected. This could be exploited to manipulate other attributes of the cookie.

Impact

Exploitation of this vulnerability could lead to injection of attacker-controlled values into cookie attributes, potentially allowing for manipulation of cookie behavior or security.

Remediation

Users can upgrade to Tornado version 6.5.5 or later, where this vulnerability has been patched.

Added: Apr 3, 2026, 4:20 AM

Updated: Apr 3, 2026, 4:20 AM

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

0.2

exploitability

6.5

remediation

7.7

relevance

5.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

0.2

exploitability

6.5

remediation

7.7

relevance

5.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Tornado Cookie Attribute Injection Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Tornado

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating