CVE-2025-67725Uncontrolled Resource Consumption in Tornado

CWE-400Uncontrolled Resource Consumption9 documents6 sources
Severity
7.5HIGHNVD
OSV6.1
EPSS
0.4%
top 41.94%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Tornadoweb TornadoDebian Python-tornado
Timeline
PublishedDec 12
Latest updateJan 8

Description

Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, a single maliciously crafted HTTP request can block the server's event loop for an extended period, caused by the HTTPHeaders.add method. The function accumulates values using string concatenation when the same header name is repeated, causing a Denial of Service (DoS). Due to Python string immutability, each concatenation copies the entire string, resulting in O(n²) time complexity. The severity

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

debiandebian/python-tornado< python-tornado 6.2.0-3+deb12u4 (bookworm)
NVDtornadoweb/tornado< 6.5.3

Patches

Patch: github.com

🔴Vulnerability Details

2
OSV
python-tornado vulnerabilities2026-01-08
OSV
CVE-2025-67725: Tornado is a Python web framework and asynchronous networking library2025-12-12

📋Vendor Advisories

3
Ubuntu
Tornado vulnerabilities2026-01-08
Red Hat
tornado: Tornado Quadratic DoS via Repeated Header Coalescing2025-12-12
Debian
CVE-2025-67725: python-tornado - Tornado is a Python web framework and asynchronous networking library. In versio...2025

🕵️Threat Intelligence

3
Wiz
CVE-2025-67726 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2025-67725 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2025-67724 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2025-67725 — Uncontrolled Resource Consumption | cvebase