Release notes and version bump for v6.5.5

bdarnell · bdarnell · commit e5f1aa4b6fa2 · 2026-03-10T13:00:44.000-04:00
diff --git a/docs/releases.rst b/docs/releases.rst
@@ -4,6 +4,7 @@ Release notes
 .. toctree::
    :maxdepth: 2
 
+   releases/v6.5.5
    releases/v6.5.4
    releases/v6.5.3
    releases/v6.5.2
diff --git a/docs/releases/v6.5.5.rst b/docs/releases/v6.5.5.rst
@@ -0,0 +1,19 @@
+What's new in Tornado 6.5.5
+===========================
+
+Mar 10, 2026
+------------
+
+Security fixes
+~~~~~~~~~~~~~~
+
+- ``multipart/form-data`` requests are now limited to 100 parts by default, to prevent a
+  denial-of-service attack via very large requests with many parts. This limit is configurable
+  via `tornado.httputil.ParseMultipartConfig`. Multipart parsing can also be disabled completely
+  if not required for the application. Thanks to [0x-Apollyon](https://github.com/0x-Apollyon) and
+  [bekkaze](https://github.com/bekkaze) for reporting this issue.
+- The ``domain``, ``path``, and ``samesite`` arguments to `.RequestHandler.set_cookie` are now
+  validated for illegal characters, which could be abused to inject other attributes on the cookie.
+  Thanks to Dhiral Vyas (Praetorian) for reporting this issue.
+- Carriage return characters are no longer accepted in ``multipart/form-data`` headers. Thanks to 
+  [sergeykochanov](https://github.com/sergeykochanov) for reporting this issue.
diff --git a/tornado/__init__.py b/tornado/__init__.py
@@ -22,8 +22,8 @@
 # is zero for an official release, positive for a development branch,
 # or negative for a release candidate or beta (after the base version
 # number has been incremented)
-version = "6.5.4"
-version_info = (6, 5, 4, 0)
+version = "6.5.5"
+version_info = (6, 5, 5, 0)
 
 import importlib
 import typing
