What’s new in Tornado 6.5.5

Mar 10, 2026

Security fixes

• multipart/form-data requests are now limited to 100 parts by default, to prevent a denial-of-service attack via very large requests with many parts. This limit is configurable via tornado.httputil.ParseMultipartConfig. Multipart parsing can also be disabled completely if not required for the application. Thanks to 0x-Apollyon and bekkaze for reporting this issue.

• The domain, path, and samesite arguments to RequestHandler.set_cookie are now validated for illegal characters, which could be abused to inject other attributes on the cookie. Thanks to Dhiral Vyas (Praetorian) for reporting this issue.

• Carriage return characters are no longer accepted in multipart/form-data headers. Thanks to sergeykochanov for reporting this issue.