--- /dev/null
+What's new in Tornado 6.5.3
+===========================
+
+Dec 10, 2025
+------------
+
+Security fixes
+~~~~~~~~~~~~~~
+- Fixed a denial-of-service vulnerability involving quadratic computation when parsing
+ ``multipart/form-data`` request bodies.
+ `CVE-2025-67726 <https://github.com/tornadoweb/tornado/security/advisories/GHSA-jhmp-mqwm-3gq8>`_
+ Thanks to `Finder16 <https://github.com/Finder16>`_ for reporting this issue.
+- Fixed a denial-of-service vulnerability involving quadratic computation when parsing repeated HTTP
+ headers.
+ `CVE-2025-67725 <https://github.com/tornadoweb/tornado/security/advisories/GHSA-c98p-7wgm-6p64>`_.
+ Thanks to `Finder16 <https://github.com/Finder16>`_ for reporting this issue.
+- Fixed a header injection and XSS vulnerability involving the ``reason`` argument to
+ `.RequestHandler.set_status` and `tornado.web.HTTPError`.
+ `CVE-2025-67724 <https://github.com/tornadoweb/tornado/security/advisories/GHSA-pr2v-jx2c-wg9f>`_.
+ Thanks to `Finder16 <https://github.com/Finder16>`_ and
+ `Cheshire1225 <https://github.com/Cheshire1225>`_ for reporting this issue.
+
+Demo changes
+~~~~~~~~~~~~
+- Several demo applications bundled with the Tornado repo (``blog``, ``chat``, ``facebook``) had an
+ open redirect vulnerability which has been fixed. This is not covered by a CVE or security
+ advisory since the demo applications are not included as a part of the Tornado package when
+ installed, but developers who have copied code from these demos may which to review their own
+ applications for open redirects. Thanks to `J1vvoo <https://github.com/J1vvoo>`_ for reporting this
+ issue.
+- The ``s3server`` demo application contained some path traversal vulnerabilities. Since this demo
+ application was not demonstrating any interesting aspects of Tornado, it has been deleted rather
+ than being fixed. Thanks to `J1vvoo <https://github.com/J1vvoo>`_ for reporting this issue.
projects / thirdparty / tornado.git / commitdiff
