CVE-2025-67725
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-12

Last updated on: 2025-12-22

Assigner: GitHub, Inc.

Description
Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, a single maliciously crafted HTTP request can block the server's event loop for an extended period, caused by the HTTPHeaders.add method. The function accumulates values using string concatenation when the same header name is repeated, causing a Denial of Service (DoS). Due to Python string immutability, each concatenation copies the entire string, resulting in O(nΒ²) time complexity. The severity can vary from high if max_header_size has been increased from its default, to low if it has its default value of 64KB. This issue is fixed in version 6.5.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-12
Last Modified
2025-12-22
Generated
2026-06-16
AI Q&A
2025-12-12
EPSS Evaluated
2026-06-14
NVD
CVE-2025-67725
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tornadoweb tornado to 6.5.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Tornado versions 6.5.2 and below, where a single maliciously crafted HTTP request can block the server's event loop for an extended period. It is caused by the HTTPHeaders.add method, which concatenates strings when the same header name is repeated. Due to Python string immutability, each concatenation copies the entire string, resulting in quadratic time complexity (O(nΒ²)) and causing a Denial of Service (DoS).

Impact Analysis

The vulnerability can cause a Denial of Service (DoS) by blocking the server's event loop, potentially making the server unresponsive. The severity ranges from low to high depending on the max_header_size setting; if increased from the default 64KB, the impact can be high, otherwise it is lower.

Mitigation Strategies

Upgrade Tornado to version 6.5.3 or later, where this issue is fixed. Additionally, avoid increasing the max_header_size beyond its default value of 64KB to reduce severity.

Compliance Impact

The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability can be detected by monitoring for HTTP requests that contain a large number of repeated headers with the same name, which cause excessive processing time in the Tornado server's event loop. To detect potential exploitation attempts, you can capture and analyze HTTP traffic for requests with many repeated headers. For example, using tcpdump or tshark to capture HTTP traffic and then filtering for repeated headers. A sample command to capture HTTP traffic on port 80 is: tcpdump -A -s 0 'tcp port 80'. Then, inspect the captured requests for repeated headers. Alternatively, using tshark to filter HTTP headers: tshark -Y 'http.header' -T fields -e http.header. Since the vulnerability involves repeated headers causing DoS, detecting unusually high counts of the same header in requests can indicate exploitation attempts. Additionally, monitoring Tornado server logs for slow request processing or event loop blocking can help detect this issue. However, no specific built-in Tornado commands or scripts are provided in the resources. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67725. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart