WS-2023-0296
Published:May 15, 2026
Updated:May 15, 2026
Summary Tornado interprets "-", "+", and "_" in chunk length and "Content-Length" values, which are not allowed by the HTTP RFCs. This can result in request smuggling when Tornado is deployed behind certain proxies that interpret those non-standard characters differently. This is known to apply to older versions of haproxy, although the current release is not affected. Details Tornado uses the "int" constructor to parse the values of "Content-Length" headers and chunk lengths in the following locations: "tornado/http1connection.py:445" self._expected_content_remaining = int(headers["Content-Length"]) "tornado/http1connection.py:621" content_length = int(headers["Content-Length"]) # type: Optional[int] "tornado/http1connection.py:671" chunk_len = int(chunk_len_str.strip(), 16) Because "int("0_0") == int("+0") == int("-0") == int("0")", using the "int" constructor to parse and validate strings that should contain only ASCII digits is not a good strategy.
Related Resources (3)
Do you need more information?
Contact UsCVSS v4
Base Score:
6.3
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
LOW
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
5.6
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
LOW
Availability
LOW
Weakness Type (CWE)
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')