Tornado: Authorization header forwarded across cross-origin redirects in SimpleAsyncHTTPClient

When

2026-06-15 20:20 UTC

Where

Global (internet)

Category

cyber_advisory · pip

## Summary When SimpleAsyncHTTPClient follows a 3xx redirect, it shallow-copies the original HTTPRequest, rewrites the URL, decrements max_redirects, and removes only the Host header. It does not clear Authorization, auth_username, auth_password, or auth_mode when the redirect target changes origin. As a result, credentials intended for one origin can be forwarded to a different origin when follow_redirects=True, which is the default. Beginning in Tornado 6.5.6, `SimpleAsyncHTTPClient` matches the default behavior of `libcurl` (and therefore `CurlAsyncHTTPClient`): When a redirect changes the scheme, host, or port of the url, the `Authorization` and `Cookie` headers will be removed when following the redirect.

Sources

• GitHub Advisory Database ↗ · first seen 2026-06-15 20:20 UTC

Defaxon links out to the original reporting and never republishes article text.

Correlated events

Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.

• tornado AsyncHTTPClient accumulates decompressed chunks without size limit (gzip bomb)
  Shared actorsInvolves pip/tornado, pip/tornado· 85% match
• Tornado: CurlAsyncHTTPClient leaks per-request credentials on handle reuse
  Shared actorsInvolves pip/tornado, pip/tornado· 85% match

← Back to the live map