Tornado, Cookie Injection, CVE-2026-1234 (Moderate)

Listen to this Post

Values passed to the domain, path, and `samesite` arguments of `RequestHandler.set_cookie` were not completely validated in versions of Tornado prior to 6.5.5. The vulnerability stems from the lack of sanitization of semicolons in these cookie attribute values. In HTTP cookie headers, semicolons are used as separators between different cookie attributes (such as Domain, Path, Secure, HttpOnly, and SameSite). By injecting a semicolon into an attribute value that is meant to be a single, continuous string, an attacker can effectively terminate the current attribute and introduce new, arbitrary attributes. This allows the injection of attacker-controlled values for other cookie attributes, potentially overriding security settings or adding malicious flags, leading to unexpected and potentially insecure cookie behavior .
Platform: Tornado
Version: < 6.5.5
Vulnerability: Cookie Injection
Severity: Moderate
Date: Mar 11, 2026

Prediction: Patched (6.5.5)

What Undercode Say:

Analytics

This vulnerability highlights a critical oversight in input sanitization within a widely-used asynchronous networking framework. The incomplete validation of cookie attributes, specifically the failure to escape or reject semicolons, directly violates the HTTP State Management Mechanism (RFC 6265), which defines the cookie header field structure. The injection point is at the framework’s boundary between developer-controlled input and the generated HTTP response header. Exploitation does not require complex chaining; a single crafted value in a cookie attribute can manipulate the entire cookie header. The flaw’s severity is moderate as it typically requires another vulnerability (like XSS) to inject the malicious `set_cookie` call, or relies on a scenario where an attacker can influence the arguments passed to this specific method.

Bash Commands & Code Analysis

Check your current Tornado version:

python3 -c "import tornado; print(tornado.version)"

Vulnerable code example (prior to 6.5.5):

import tornado.ioloop
import tornado.web
class MainHandler(tornado.web.RequestHandler):
def get(self):
If user_input is "example.com; Secure; HttpOnly"
user_input = self.get_argument("cookie_domain", "localhost")
self.set_cookie("session", "valuable_data", domain=user_input)
self.write("Cookie set.")
Exploit: /?cookie_domain=example.com;%20Secure;%20HttpOnly

How Exploit

An attacker can supply a semicolon within a cookie attribute value to inject additional attributes. For instance, if the `domain` argument is taken from user input without validation, a value like `example.com; Secure` would result in a `Set-Cookie` header resembling:

`Set-Cookie: session=valuable_data; Domain=example.com; Secure; Path=/`

This forces the cookie to be marked as Secure, potentially altering its transmission policy, or could be used to inject a `SameSite=None` to enable cross-site usage inappropriately.

Protection from this CVE

Upgrade to Tornado version 6.5.5 or later.

pip install --upgrade tornado
Verify the upgrade
python3 -c "import tornado; print(tornado.version)" Should output 6.5.5 or higher

The patch involves proper validation and escaping of the domain, path, and `samesite` values to strip or reject semicolons and other control characters before embedding them into the HTTP header.

Impact

A remote attacker could manipulate cookie attributes. This could lead to:
1. Bypassing Security Flags: Injecting `Secure` or `HttpOnly` flags when they are not intended, or conversely, omitting them by breaking the attribute string.
2. Altering Cookie Scope: Changing the `Domain` or `Path` to make a cookie accessible to a wider or unintended set of hosts and directories.
3. Downgrading SameSite Policies: Injecting `SameSite=None` to allow cross-site request forgery (CSRF) attacks if the application relies on `Lax` or `Strict` for CSRF protection.
4. Cache Poisoning (Indirect): In some proxy configurations, manipulated headers could lead to response caching issues .

References

The issue is publicly documented in the GitHub Advisory Database and has been fixed in tornado 6.5.5 .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top