CVE-2025-67726
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-12

Last updated on: 2025-12-22

Assigner: GitHub, Inc.

Description
Tornado is a Python web framework and asynchronous networking library. Versions 6.5.2 and below use an inefficient algorithm when parsing parameters for HTTP header values, potentially causing a DoS. The _parseparam function in httputil.py is used to parse specific HTTP header values, such as those in multipart/form-data and repeatedly calls string.count() within a nested loop while processing quoted semicolons. If an attacker sends a request with a large number of maliciously crafted parameters in a Content-Disposition header, the server's CPU usage increases quadratically (O(nΒ²)) during parsing. Due to Tornado's single event loop architecture, a single malicious request can cause the entire server to become unresponsive for an extended period. This issue is fixed in version 6.5.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-12
Last Modified
2025-12-22
Generated
2026-06-16
AI Q&A
2025-12-12
EPSS Evaluated
2026-06-15
NVD
CVE-2025-67726
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tornadoweb tornado to 6.5.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-834 The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Tornado versions 6.5.2 and below, where an inefficient algorithm is used to parse parameters in HTTP header values. Specifically, the _parseparam function in httputil.py repeatedly calls string.count() inside a nested loop when processing quoted semicolons in headers like Content-Disposition. An attacker can exploit this by sending a request with many maliciously crafted parameters, causing the server's CPU usage to increase quadratically (O(nΒ²)) during parsing. Because Tornado uses a single event loop, this can make the entire server unresponsive for a long time, effectively causing a denial of service (DoS). The issue is fixed in version 6.5.3.

Impact Analysis

This vulnerability can cause a denial of service (DoS) on servers running vulnerable Tornado versions. A single malicious request with crafted parameters can cause the server's CPU usage to spike significantly, making the server unresponsive for an extended period. This can disrupt availability of services relying on Tornado, potentially leading to downtime and loss of service.

Mitigation Strategies

Upgrade Tornado to version 6.5.3 or later, as this version contains the fix for the inefficient parameter parsing vulnerability that can cause a denial of service.

Detection Guidance

This vulnerability can be detected by monitoring for unusually high CPU usage on Tornado servers when processing HTTP requests, especially those with multipart/form-data Content-Disposition headers containing many parameters or semicolons. To detect potential exploitation attempts, you can capture and inspect HTTP requests with tools like tcpdump or Wireshark, looking for suspiciously large or complex Content-Disposition headers. Example commands include: 1) Using tcpdump to capture HTTP traffic on port 80 or 443: tcpdump -i any -s 0 -w capture.pcap port 80 or port 443 2) Using grep or similar tools to search server logs for requests with large or suspicious Content-Disposition headers. 3) Monitoring CPU usage with top or htop during suspected attack periods. However, no specific detection commands are provided in the resources. [2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67726. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart