What’s new in Tornado 6.5.6

May 27, 2026

Security fixes

• SimpleAsyncHTTPClient now strips the Authorization and Cookie headers from the request when following a redirect to a different origin. This matches the default behavior of CurlAsyncHTTPClient. Applications that need different behavior here can set follow_redirects=False and handle redirects manually. Thanks to [Yannick Wang](https://github.com/noobone123) for being first to report this issue, as well as additional reporters [Kai Aizen](https://github.com/SnailSploit), [HunSec](https://github.com/0xHunSec), and [Thai Son Dinh](https://github.com/sondt99).

• SimpleAsyncHTTPClient now enforces max_body_size on the decompressed size of the response, rather than the compressed size. This prevents a denial-of-service attack via a very large compressed response. Thanks to [Yuichiro Kedashiro](https://github.com/yuui25) for reporting this issue.

• Fixed a bug in the C extension that could have read up to three bytes past the end of an input array. Thanks to [Thai Son Dinh](https://github.com/sondt99) for reporting this issue.

• OpenIDMixin has improved parsing for the check_authentication response. Thanks to [Yannick Wang](https://github.com/noobone123) for reporting this issue.

Bug fixes

• CurlAsyncHTTPClient has been updated to use non-deprecated APIs, avoiding deprecation warnings with recent versions of pycurl.