GHSA-w235-7p84-xx57: Tornado has a CRLF injection in CurlAsyncHTTPClient headers

June 6, 2024

Tornado’s curl_httpclient.CurlAsyncHTTPClient class is vulnerable to CRLF (carriage return/line feed) injection in the request headers.

References

github.com/advisories/GHSA-w235-7p84-xx57
github.com/tornadoweb/tornado
github.com/tornadoweb/tornado/commit/7786f09f84c9f3f2012c4cf3878417cb9f053669
github.com/tornadoweb/tornado/security/advisories/GHSA-w235-7p84-xx57

Detect and mitigate GHSA-w235-7p84-xx57 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →