CVE-2026-49855

high

Description

The vulnerability exists due to a missing size restriction on cumulative data processing within the _GzipMessageDelegate.data_received decompression routines in Tornado. While the framework strictly enforces boundaries for the total incoming compressed file size, it continuously extracts nested data chunks without reviewing the total decompressed size, enabling a malicious server to deploy a "gzip bomb" that drives unlimited system memory allocation and causes a process-wide denial of service (DoS).

Details

Source: Mitre, NVD

Published: 2026-06-18

Risk Information

CVSS v2

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

Severity: High

CVSS v3

Base Score: 7.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Severity: High

EPSS

EPSS: 0.00052