What’s new in Tornado 6.5.6¶
May 27, 2026¶
Security fixes¶
SimpleAsyncHTTPClientnow strips theAuthorizationandCookieheaders from the request when following a redirect to a different origin. This matches the default behavior ofCurlAsyncHTTPClient. Applications that need different behavior here can setfollow_redirects=Falseand handle redirects manually. Thanks to Yannick Wang for being first to report this issue, as well as additional reporters Kai Aizen, HunSec, and Thai Son Dinh. CVE-2026-49853SimpleAsyncHTTPClientnow enforcesmax_body_sizeon the decompressed size of the response, rather than the compressed size. This prevents a denial-of-service attack via a very large compressed response. Thanks to Yuichiro Kedashiro for reporting this issue. CVE-2026-49855Fixed a bug in the C extension that could have read up to three bytes past the end of an input array. Thanks to Thai Son Dinh for reporting this issue. CVE-2026-49854
OpenIDMixinhas improved parsing for thecheck_authenticationresponse. Thanks to Yannick Wang for reporting this issue.
Bug fixes¶
CurlAsyncHTTPClienthas been updated to use non-deprecated APIs, avoiding deprecation warnings with recent versions ofpycurl.