CVE-2025-67724 — Cross-site Scripting in Tornado

CWE-79 — Cross-site Scripting CWE-644 — Improper Neutralization of HTTP Headers for Scripting Syntax9 documents6 sources

Severity

6.1MEDIUMNVD

EPSS

0.1%

top 76.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tornadoweb Tornado Debian Python-tornado

Timeline

PublishedDec 12

Latest updateJan 8

Description

Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, the supplied reason phrase is used unescaped in HTTP headers (where it could be used for header injection) or in HTML in the default error page (where it could be used for XSS) and can be exploited by passing untrusted or malicious data into the reason argument. Used by both RequestHandler.set_status and tornado.web.HTTPError, the argument is designed to allow applications to pass custom "reason" …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶debiandebian/python-tornado< python-tornado 6.2.0-3+deb12u4 (bookworm)

▶NVDtornadoweb/tornado< 6.5.3

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

python-tornado vulnerabilities↗2026-01-08

▶

OSV

CVE-2025-67724: Tornado is a Python web framework and asynchronous networking library↗2025-12-12

▶

📋Vendor Advisories

Ubuntu

Tornado vulnerabilities↗2026-01-08

▶

Red Hat

tornado: Tornado Header Injection and XSS via reason argument↗2025-12-12

▶

Debian

CVE-2025-67724: python-tornado - Tornado is a Python web framework and asynchronous networking library. In versio...↗2025

▶

🕵️Threat Intelligence

Wiz

CVE-2025-67726 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2025-67725 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2025-67724 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶