CVE-2025-67725

EPSS 0.24%
Veröffentlicht 12.12.2025 05:49:41
Zuletzt bearbeitet 22.12.2025 18:51:18
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, a single maliciously crafted HTTP request can block the server's event loop for an extended period, caused by the HTTPHeaders.add method. The function accumulates values using string concatenation when the same header name is repeated, causing a Denial of Service (DoS).  Due to Python string immutability, each concatenation copies the entire string, resulting in O(n²) time complexity. The severity can vary from high if max_header_size has been increased from its default, to low if it has its default value of 64KB. This issue is fixed in version 6.5.3.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Tornadoweb ≫ Tornado Version < 6.5.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.24%	0.468

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

https://github.com/tornadoweb/tornado/releases/tag/v6.5.3

Release Notes

https://github.com/tornadoweb/tornado/security/advisories/GHSA-c98p-7wgm-6p64

Vendor Advisory

https://github.com/tornadoweb/tornado/commit/771472cfdaeebc0d89a9cc46e249f8891a6b29cd

Patch

https://nvd.nist.gov/vuln/detail/CVE-2025-67725

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-67725

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-67725

EUVD