CVE-2025-67725

Published Dec 12, 2025

Last updated 4 months ago

CVSS high 7.5

Overview

Description
Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, a single maliciously crafted HTTP request can block the server's event loop for an extended period, caused by the HTTPHeaders.add method. The function accumulates values using string concatenation when the same header name is repeated, causing a Denial of Service (DoS). Due to Python string immutability, each concatenation copies the entire string, resulting in O(n²) time complexity. The severity can vary from high if max_header_size has been increased from its default, to low if it has its default value of 64KB. This issue is fixed in version 6.5.3.
Source
security-advisories@github.com
NVD status
Analyzed
Products
tornado

Risk scores

CVSS 3.1

Type
Secondary
Base score
7.5
Impact score
3.6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity
HIGH

Weaknesses

security-advisories@github.com
CWE-400

Social media

Hype score
Not currently trending

  1. BREAKING: Critical DoS bugs CVE-2025-67725 (CVSS 8.7) and CVE-2026-31958 in Python-Tornado hit SUSE 12 and Debian 11, vendors ship patches for malicious HTTP and multipart attacks. https://t.co/mVQDEAK0gR

    @threatcluster

    1 Apr 2026

    177 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 🚨 Critical security update for #Debian 11 #Bullseye. Patch #Python #Tornado now for CVE-2025-67724 (Header Injection/XSS), CVE-2025-67725/26 (DoS). Read more: 👉 https://t.co/xpRHruoI7a #Security https://t.co/5oRlxMclaH

    @Cezar_H_Linux

    2 Feb 2026

    41 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. SUSE and Ubuntu release python-tornado6 updates fixing CVE-2025-67724 XSS and CVE-2025-67725 DoS risks, urging immediate patching on systems processing HTTP traffic. #XSS https://t.co/yuHFMy2feP

    @threatcluster

    6 Jan 2026

    17 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. I discovered CVE-2025-67724, CVE-2025-67725, and CVE-2025-67726 using my LLM agent https://t.co/iXD5J3kbRp

    @07finder

    12 Dec 2025

    3579 Impressions

    3 Retweets

    46 Likes

    13 Bookmarks

    1 Reply

    0 Quotes

Configurations

Related CVEs

  1. In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters.CVE-2026-35536
  2. Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. This vulnerability is fixed in 6.5.5.CVE-2026-31958
  3. Tornado is a Python web framework and asynchronous networking library. Versions 6.5.2 and below use an inefficient algorithm when parsing parameters for HTTP header values, potentially causing a DoS. The _parseparam function in httputil.py is used to parse specific HTTP header values, such as those in multipart/form-data and repeatedly calls string.count() within a nested loop while processing quoted semicolons. If an attacker sends a request with a large number of maliciously crafted parameters in a Content-Disposition header, the server's CPU usage increases quadratically (O(n²)) during parsing. Due to Tornado's single event loop architecture, a single malicious request can cause the entire server to become unresponsive for an extended period. This issue is fixed in version 6.5.3.CVE-2025-67726
  4. Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, the supplied reason phrase is used unescaped in HTTP headers (where it could be used for header injection) or in HTML in the default error page (where it could be used for XSS) and can be exploited by passing untrusted or malicious data into the reason argument. Used by both RequestHandler.set_status and tornado.web.HTTPError, the argument is designed to allow applications to pass custom "reason" phrases (the "Not Found" in HTTP/1.1 404 Not Found) to the HTTP status line (mainly for non-standard status codes). This issue is fixed in version 6.5.3.CVE-2025-67724
  5. Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous. All versions of Tornado prior to 6.5.0 are affected. The vulnerable parser is enabled by default. Upgrade to Tornado version 6.50 to receive a patch. As a workaround, risk can be mitigated by blocking `Content-Type: multipart/form-data` in a proxy.CVE-2025-47287

References

Sources include official advisories and independent security research.