fix(deps): vuln tornado (major → 6.5.7)

[gh-worker-campaigns-3e9aa4]

Summary: High-severity security update — 1 package upgraded (MAJOR changes included)

Manifests changed:

• . (pip)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
tornado	3.2.2	6.5.7	major	Direct	10 HIGH, 8 MEDIUM, 1 LOW

---

Warning

Major Version Upgrade

This update includes major version changes that may contain breaking changes. Please:

• Review the changelog/release notes for breaking changes
• Test thoroughly in a staging environment
• Update any code that depends on changed APIs
• Ensure all tests pass before merging

Security Details

🚨 Critical & High Severity (10 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
tornado	CVE-2024-52804	HIGH	Tornado has HTTP cookie parsing DoS vulnerability	3.2.2	-
tornado	GHSA-qjxf-f2mg-c6mc	HIGH	Tornado is vulnerable to DoS due to too many multipart parts	3.2.2	6.5.5
tornado	GHSA-3x9g-8vmp-wqvf	HIGH	Tornado: Authorization header forwarded across cross-origin redirects in SimpleAsyncHTTPClient	3.2.2	6.5.6
tornado	GHSA-fqwm-6jpj-5wxc	HIGH	Tornado has cookie attribute injection via .RequestHandler.set_cookie	3.2.2	6.5.5
tornado	PYSEC-2026-140	high	-	3.2.2	6.5.5
tornado	CVE-2026-31958	high	Tornado has a DoS due to too many multipart parts	3.2.2	-
tornado	CVE-2025-47287	HIGH	Tornado vulnerable to excessive logging caused by malformed multipart form data	3.2.2	-
tornado	GHSA-7cx3-6m66-7c5m	HIGH	Tornado vulnerable to excessive logging caused by malformed multipart form data	3.2.2	6.5
tornado	GHSA-mgf9-4vpg-hj56	HIGH	tornado AsyncHTTPClient accumulates decompressed chunks without size limit (gzip bomb)	3.2.2	6.5.6
tornado	GHSA-8w49-h785-mj3c	HIGH	Tornado has an HTTP cookie parsing DoS vulnerability	3.2.2	6.4.2

ℹ️ Other Vulnerabilities (9)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
tornado	PYSEC-2023-75	medium	-	3.2.2	6.3.2
tornado	CVE-2023-28370	medium	-	3.2.2	-
tornado	GHSA-w235-7p84-xx57	MODERATE	Tornado has a CRLF injection in CurlAsyncHTTPClient headers	3.2.2	6.4.1
tornado	GHSA-pw6j-qg29-8w7f	MODERATE	Tornado: CurlAsyncHTTPClient leaks per-request credentials on handle reuse	3.2.2	6.5.7
tornado	GHSA-753j-mpmx-qq6g	MODERATE	Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in tornado	3.2.2	6.4.1
tornado	GHSA-78cv-mqj4-43f7	MODERATE	Tornado has incomplete validation of cookie attributes	3.2.2	6.5.5
tornado	GHSA-hj3f-6gcp-jg8j	MODERATE	Open redirect in Tornado	3.2.2	6.3.2
tornado	GHSA-qppv-j76h-2rpx	MODERATE	Tornado vulnerable to HTTP request smuggling via improper parsing of Content-Length fields and chunk lengths	3.2.2	6.3.3
tornado	GHSA-cx3h-4qpv-8hc9	LOW	Tornado has out-of-bounds memory access via C extension	3.2.2	6.5.6

⚠️ Dependencies that have Reached EOL (1)

Dependency	Unsafe Version	EOL Date	New Version	Path
tornado	3.2.2	-	6.5.7	requirements.txt

---

Review Checklist

Extra review is recommended for this update:

• Review changes for compatibility with your code
• Check release notes for breaking changes
• Run integration tests to verify service behavior
• Test in staging environment before production
• Monitor key metrics after deployment
• Approve and merge this PR

---

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System