The vulnerability exists due to a missing size restriction on cumulative data processing within the _GzipMessageDelegate.data_received decompression routines in Tornado. While the framework strictly enforces boundaries for the total incoming compressed file size, it continuously extracts nested data chunks without reviewing the total decompressed size, enabling a malicious server to deploy a "gzip bomb" that drives unlimited system memory allocation and causes a process-wide denial of service (DoS).