CVE-2025-67725
BaseFortify
Publication date: 2025-12-12
Last updated on: 2025-12-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tornadoweb | tornado | to 6.5.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Tornado versions 6.5.2 and below, where a single maliciously crafted HTTP request can block the server's event loop for an extended period. It is caused by the HTTPHeaders.add method, which concatenates strings when the same header name is repeated. Due to Python string immutability, each concatenation copies the entire string, resulting in quadratic time complexity (O(nΒ²)) and causing a Denial of Service (DoS).
How can this vulnerability impact me? :
The vulnerability can cause a Denial of Service (DoS) by blocking the server's event loop, potentially making the server unresponsive. The severity ranges from low to high depending on the max_header_size setting; if increased from the default 64KB, the impact can be high, otherwise it is lower.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Tornado to version 6.5.3 or later, where this issue is fixed. Additionally, avoid increasing the max_header_size beyond its default value of 64KB to reduce severity.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for HTTP requests that contain a large number of repeated headers with the same name, which cause excessive processing time in the Tornado server's event loop. To detect potential exploitation attempts, you can capture and analyze HTTP traffic for requests with many repeated headers. For example, using tcpdump or tshark to capture HTTP traffic and then filtering for repeated headers. A sample command to capture HTTP traffic on port 80 is: tcpdump -A -s 0 'tcp port 80'. Then, inspect the captured requests for repeated headers. Alternatively, using tshark to filter HTTP headers: tshark -Y 'http.header' -T fields -e http.header. Since the vulnerability involves repeated headers causing DoS, detecting unusually high counts of the same header in requests can indicate exploitation attempts. Additionally, monitoring Tornado server logs for slow request processing or event loop blocking can help detect this issue. However, no specific built-in Tornado commands or scripts are provided in the resources. [2]