Description

Tornado is a Python web framework and asynchronous networking library. Versions 6.5.2 and below use an inefficient algorithm when parsing parameters for HTTP header values, potentially causing a DoS. The _parseparam function in httputil.py is used to parse specific HTTP header values, such as those in multipart/form-data and repeatedly calls string.count() within a nested loop while processing quoted semicolons. If an attacker sends a request with a large number of maliciously crafted parameters in a Content-Disposition header, the server's CPU usage increases quadratically (O(n²)) during parsing. Due to Tornado's single event loop architecture, a single malicious request can cause the entire server to become unresponsive for an extended period. This issue is fixed in version 6.5.3.

INFO

Published Date :

2025-12-12T06:13:51.336Z

Last Modified :

2025-12-18T18:48:49.007Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-67726 vulnerability.

Vendors Products
Tornadoweb
  • Tornado
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-67726.

URL Resource
https://github.com/tornadoweb/tornado/commit/771472cfdaeebc0d89a9cc46e249f8891a6b29cd cve-icon cve-icon cve-icon
https://github.com/tornadoweb/tornado/releases/tag/v6.5.3 cve-icon cve-icon cve-icon
https://github.com/tornadoweb/tornado/security/advisories/GHSA-jhmp-mqwm-3gq8 cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-67726 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-67726 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact