CVE-2025-67726
BaseFortify
Publication date: 2025-12-12
Last updated on: 2025-12-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tornadoweb | tornado | to 6.5.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
| CWE-834 | The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusually high CPU usage on Tornado servers when processing HTTP requests, especially those with multipart/form-data Content-Disposition headers containing many parameters or semicolons. To detect potential exploitation attempts, you can capture and inspect HTTP requests with tools like tcpdump or Wireshark, looking for suspiciously large or complex Content-Disposition headers. Example commands include: 1) Using tcpdump to capture HTTP traffic on port 80 or 443: tcpdump -i any -s 0 -w capture.pcap port 80 or port 443 2) Using grep or similar tools to search server logs for requests with large or suspicious Content-Disposition headers. 3) Monitoring CPU usage with top or htop during suspected attack periods. However, no specific detection commands are provided in the resources. [2, 3]
Can you explain this vulnerability to me?
This vulnerability exists in Tornado versions 6.5.2 and below, where an inefficient algorithm is used to parse parameters in HTTP header values. Specifically, the _parseparam function in httputil.py repeatedly calls string.count() inside a nested loop when processing quoted semicolons in headers like Content-Disposition. An attacker can exploit this by sending a request with many maliciously crafted parameters, causing the server's CPU usage to increase quadratically (O(nΒ²)) during parsing. Because Tornado uses a single event loop, this can make the entire server unresponsive for a long time, effectively causing a denial of service (DoS). The issue is fixed in version 6.5.3.
How can this vulnerability impact me? :
This vulnerability can cause a denial of service (DoS) on servers running vulnerable Tornado versions. A single malicious request with crafted parameters can cause the server's CPU usage to spike significantly, making the server unresponsive for an extended period. This can disrupt availability of services relying on Tornado, potentially leading to downtime and loss of service.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Tornado to version 6.5.3 or later, as this version contains the fix for the inefficient parameter parsing vulnerability that can cause a denial of service.