CVE-2025-67724

Advisory lineage Upstream: 0 Downstream: 34
Analyzed
Published: 12 Dec 2025, 05:36
Last modified:18 Dec 2025, 18:53

Vulnerability Summary

Overall Risk (default)
low
24/100
CVSS Score
6.1 MEDIUM
v3.1 (nvd)
EPSS Score
0.03% LOW
0% probability -0.02%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

12 Dec 2025, 05:36
Published
Vulnerability first disclosed
18 Dec 2025, 18:53
Last Modified
Vulnerability information updated

Description

Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, the supplied reason phrase is used unescaped in HTTP headers (where it could be used for header injection) or in HTML in the default error page (where it could be used for XSS) and can be exploited by passing untrusted or malicious data into the reason argument. Used by both RequestHandler.set_status and tornado.web.HTTPError, the argument is designed to allow applications to pass custom "reason" phrases (the "Not Found" in HTTP/1.1 404 Not Found) to the HTTP status line (mainly for non-standard status codes). This issue is fixed in version 6.5.3.

CVSS Metrics

  • v3.1MEDIUMScore: 5.4CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
  • v3.1MEDIUMScore: 6.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS Trends

Current EPSS score: 0.03% Percentile: 11%

Techniques & Countermeasures

  • CWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

    The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

  • CWE-644Improper Neutralization of HTTP Headers for Scripting Syntax

    The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.

Affected Systems

  • tornadowebtornado

    < 6.5.3

References (3)