Listen to this Post
The vulnerability exists in Tornado’s `CurlAsyncHTTPClient` which pools and reuses `pycurl` handles across multiple HTTP requests. When a request is completed, the handle is returned to a free list instead of being reset. The function `_curl_setup_request` is called before reusing a handle, but it never executes curl.reset(). Certain per‑request options – specifically TLS client certificates (SSLCERT/SSLKEY), proxy credentials (PROXYUSERPWD), and network interface binding (INTERFACE) – are set on the handle if the request provides them, but there is no clearing branch for these options when a subsequent request does not provide them. As a result, sensitive state from one request persists onto a later request that uses the same pooled handle.
Two vectors are demonstrated:
- Vector A (client TLS certificate): A request that sets `client_cert` and `client_key` leaves the certificate on the handle. A later request that does not specify any client certificate will still present the previous certificate during its TLS handshake to a completely different host.
- Vector B (proxy credentials): `PROXYUSERPWD` is set only inside the branch where `proxy_username` exists, and unset only in the `else` branch when no proxy is configured at all. If a request uses a new proxy (different
proxy_host) but omitsproxy_username, the `else` branch is never reached, so the previous request’s proxy credentials are sent to the new proxy.
The same flaw affects `INTERFACE` (network interface binding). All released Tornado versions through 6.5.6 are vulnerable. Exploitation requires that an application shares a single `CurlAsyncHTTPClient` instance across requests with differing security‑sensitive options and that handle reuse schedules the victim request after the poisoned request. Attack complexity is High because handle scheduling is not directly controllable. The impact is disclosure of client certificates (including private key proof and certificate chain) or proxy basic‑auth credentials to an unintended, possibly attacker‑controlled party (CWE‑200 / CWE‑672, CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N, 5.9 Medium).
DailyCVE Form:
Platform: Tornado
Version: ≤6.5.6
Vulnerability: Credential leak
Severity: Medium
date: 2026-06-15
Prediction: Patch within 30d
What Undercode Say:
Analytics:
Check vulnerable version pip show tornado | grep Version Run Vector A PoC python3 poc_client_cert.py Run Vector B PoC python3 poc_proxy_creds.py Expected output shows leaked credentials
Exploit:
Vector A: first request sets client cert, second omits it client = CurlAsyncHTTPClient(max_clients=1) await client.fetch(HTTPRequest(url1, client_cert="cert.pem", client_key="key.pem")) await client.fetch(HTTPRequest(url2)) presents cert.pem to url2 Vector B: first request sets proxy credentials, second changes proxy without username await client.fetch(HTTPRequest(url_a, proxy_host="p1", proxy_username="u", proxy_password="p")) await client.fetch(HTTPRequest(url_b, proxy_host="p2")) sends u:p to p2
Protection:
Mitigation: call curl.reset() in _curl_setup_request curl.reset() Or manually unset each persistent option if request.client_cert is None: curl.unsetopt(pycurl.SSLCERT) Workaround: use separate CurlAsyncHTTPClient per credential set
Impact:
- Exposure of client TLS certificate (private key proof + chain) to unintended host
- Leakage of proxy basic‑auth credentials (base64) to a different proxy
- Attacker‑controlled URL/proxy can steal credentials (SSRF, webhooks)
- Affects only `CurlAsyncHTTPClient` backend, not `SimpleAsyncHTTPClient`
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
