CVE-2025-67726Uncontrolled Resource Consumption in Tornado

CWE-400Uncontrolled Resource ConsumptionCWE-834Excessive IterationCWE-1333Regex Denial of Service9 documents6 sources
Severity
7.5HIGHNVD
OSV6.1
EPSS
0.1%
top 68.42%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Tornadoweb TornadoDebian Python-tornado
Timeline
PublishedDec 12
Latest updateJan 8

Description

Tornado is a Python web framework and asynchronous networking library. Versions 6.5.2 and below use an inefficient algorithm when parsing parameters for HTTP header values, potentially causing a DoS. The _parseparam function in httputil.py is used to parse specific HTTP header values, such as those in multipart/form-data and repeatedly calls string.count() within a nested loop while processing quoted semicolons. If an attacker sends a request with a large number of maliciously crafted parameters

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

debiandebian/python-tornado< python-tornado 6.2.0-3+deb12u4 (bookworm)
NVDtornadoweb/tornado< 6.5.3

Patches

Patch: github.com

🔴Vulnerability Details

2
OSV
python-tornado vulnerabilities2026-01-08
OSV
CVE-2025-67726: Tornado is a Python web framework and asynchronous networking library2025-12-12

📋Vendor Advisories

3
Ubuntu
Tornado vulnerabilities2026-01-08
Red Hat
tornado: Tornado Quadratic DoS via Crafted Multipart Parameters2025-12-12
Debian
CVE-2025-67726: python-tornado - Tornado is a Python web framework and asynchronous networking library. Versions ...2025

🕵️Threat Intelligence

3
Wiz
CVE-2025-67726 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2025-67725 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2025-67724 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2025-67726 — Uncontrolled Resource Consumption | cvebase