The CVE explicitly identifies tornado.web.RequestHandler.set_header as the vulnerable function. The GitHub commit shows the fix occurred in the _convert_header_value helper method (called by set_header), where the regex check was changed from re.match() to re.search() to detect control characters anywhere in the header value. Since set_header is the public API method responsible for header manipulation and directly relied on this flawed validation, it is the primary vulnerable entry point. The test case added in the commit also directly exercises set_header with malicious input, confirming its role in the vulnerability.