From: Ben Darnell <ben@bendarnell.com>
Date: Thu, 11 Dec 2025 02:58:28 +0000 (-0500)
Subject: Release notes for 6.5.3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F3559%2Fhead;p=thirdparty%2Ftornado.git

Release notes for 6.5.3
---

diff --git a/docs/releases.rst b/docs/releases.rst
index a37951d9..3d69d7af 100644
--- a/docs/releases.rst
+++ b/docs/releases.rst
@@ -4,6 +4,7 @@ Release notes
 .. toctree::
    :maxdepth: 2
 
+   releases/v6.5.3
    releases/v6.5.2
    releases/v6.5.1
    releases/v6.5.0
diff --git a/docs/releases/v6.5.3.rst b/docs/releases/v6.5.3.rst
new file mode 100644
index 00000000..33b4f668
--- /dev/null
+++ b/docs/releases/v6.5.3.rst
@@ -0,0 +1,33 @@
+What's new in Tornado 6.5.3
+===========================
+
+Dec 10, 2025
+------------
+
+Security fixes
+~~~~~~~~~~~~~~
+- Fixed a denial-of-service vulnerability involving quadratic computation when parsing
+  ``multipart/form-data`` request bodies.
+  `CVE-2025-67726 <https://github.com/tornadoweb/tornado/security/advisories/GHSA-jhmp-mqwm-3gq8>`_
+  Thanks to `Finder16 <https://github.com/Finder16>`_ for reporting this issue.
+- Fixed a denial-of-service vulnerability involving quadratic computation when parsing repeated HTTP
+  headers.
+  `CVE-2025-67725 <https://github.com/tornadoweb/tornado/security/advisories/GHSA-c98p-7wgm-6p64>`_.
+  Thanks to `Finder16 <https://github.com/Finder16>`_ for reporting this issue.
+- Fixed a header injection and XSS vulnerability involving the ``reason`` argument to
+  `.RequestHandler.set_status` and `tornado.web.HTTPError`.
+  `CVE-2025-67724 <https://github.com/tornadoweb/tornado/security/advisories/GHSA-pr2v-jx2c-wg9f>`_.
+  Thanks to `Finder16 <https://github.com/Finder16>`_ and
+  `Cheshire1225 <https://github.com/Cheshire1225>`_ for reporting this issue.
+
+Demo changes
+~~~~~~~~~~~~
+- Several demo applications bundled with the Tornado repo (``blog``, ``chat``, ``facebook``) had an
+  open redirect vulnerability which has been fixed. This is not covered by a CVE or security
+  advisory since the demo applications are not included as a part of the Tornado package when
+  installed, but developers who have copied code from these demos may which to review their own
+  applications for open redirects. Thanks to `J1vvoo <https://github.com/J1vvoo>`_ for reporting this
+  issue.
+- The ``s3server`` demo application contained some path traversal vulnerabilities. Since this demo
+  application was not demonstrating any interesting aspects of Tornado, it has been deleted rather
+  than being fixed. Thanks to `J1vvoo <https://github.com/J1vvoo>`_ for reporting this issue.