Tornado, Unbounded Decompression Bomb (gzip bomb), CVE-2026-49853 (High severity) -DC-Jun2026-454

By /

Listen to this Post

Intro – How CVE-2026-49853 works (30 lines)

Tornado’s gzip decompression logic splits the payload into small chunks but never limits the total decompressed data that can be accumulated. While the compressed response size is bounded, the decompressed output can grow arbitrarily. A malicious server can send a gzip-compressed HTTP response that is small on the wire but expands to many gigabytes (a “gzip bomb”). Tornado’s `SimpleAsyncHTTPClient` (the default client) decompresses the response chunk by chunk, keeping all chunks in memory until the full response is processed. Because there is no overall decompressed size limit, the process consumes ever‑increasing amounts of memory, leading to a denial‑of‑service (DoS) condition.
The vulnerability exists in the default configuration of AsyncHTTPClient. `HTTPServer` is not affected unless `decompress_request=True` is explicitly set. The issue was fixed in Tornado 6.5.6, where `max_body_size` now enforces limits on both the compressed and cumulative decompressed response size.

DailyCVE Form

Platform: Tornado
Version: <6.5.6
Vulnerability : gzip bomb
Severity: High
date: 2026‑05‑27

Prediction: 2026‑05‑27

What Undercode Say

Check installed Tornado version
pip show tornado | grep Version
Vulnerable code pattern (AsyncHTTPClient with default settings)
from tornado.httpclient import AsyncHTTPClient
client = AsyncHTTPClient()
response = await client.fetch("http://malicious-server/gzip-bomb") no size limit
Mitigation before upgrading: disable decompression
client.fetch(url, decompress_response=False)
Or use CurlAsyncHTTPClient instead
AsyncHTTPClient.configure("tornado.curl_httpclient.CurlAsyncHTTPClient")

Exploit

  1. Attacker hosts an HTTP endpoint that returns a gzip‑compressed response (e.g., a 10 KB compressed payload that expands to 10 GB when decompressed).
  2. Victim’s Tornado application uses `SimpleAsyncHTTPClient` (default) to fetch that URL.
  3. Tornado decompresses the payload chunk by chunk but never checks the total decompressed size, accumulating all data in memory.
  4. Memory consumption grows until the process crashes, resulting in a denial of service.

Protection

  • Upgrade to Tornado 6.5.6 or later.
  • Mitigate without upgrading:
  • Set `decompress_response=False` when making requests.
  • Switch to CurlAsyncHTTPClient.
  • For HTTPServer, ensure `decompress_request=False` (the default).

Impact

  • Remote denial of service (memory exhaustion).
  • Affects any Tornado application that uses the default HTTP client to fetch untrusted URLs.
  • No privilege escalation or data leakage, but the crash can disrupt all services running in the same process.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top