[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2025-67724":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-06T02:55:33.997Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":51,"aliases":52,"duplicate_of":9,"upstream":53,"downstream":54,"duplicates":123,"related":124,"reserved_at":9,"published_at":156,"modified_at":157,"state":158,"summary":159,"references_raw":168,"kevs":188,"epss":189,"epss_history":192,"metrics":466,"affected":477},"CVE-2025-67724","Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, the supplied reason phrase is used unescaped in HTTP headers (where it could be used for header injection) or in HTML in the default error page (where it could be used for XSS) and can be exploited by passing untrusted or malicious data into the reason argument. Used by both RequestHandler.set_status and tornado.web.HTTPError, the argument is designed to allow applications to pass custom \"reason\" phrases (the \"Not Found\" in HTTP/1.1 404 Not Found) to the HTTP status line (mainly for non-standard status codes). This issue is fixed in version 6.5.3.",null,[11,44],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":18,"capec":19},"CWE-79","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.","weakness","Stable","Base","High",[20,24,28,32,36,40],{"id":21,"name":22,"techniques":23},"CAPEC-209","XSS Using MIME Type Mismatch",[],{"id":25,"name":26,"techniques":27},"CAPEC-588","DOM-Based XSS",[],{"id":29,"name":30,"techniques":31},"CAPEC-591","Reflected XSS",[],{"id":33,"name":34,"techniques":35},"CAPEC-592","Stored XSS",[],{"id":37,"name":38,"techniques":39},"CAPEC-63","Cross-Site Scripting (XSS)",[],{"id":41,"name":42,"techniques":43},"CAPEC-85","AJAX Footprinting",[],{"_key":45,"id":45,"name":46,"description":47,"type":15,"status":48,"abstraction":49,"likelihood_of_exploit":18,"capec":50},"CWE-644","Improper Neutralization of HTTP Headers for Scripting Syntax","The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.","Incomplete","Variant",[],[],[],[],[55,57,59,61,63,65,67,69,71,73,75,77,79,81,83,85,87,89,91,93,95,97,99,101,103,105,107,109,111,113,115,117,119,121],{"_key":56},"SUSE-SU-2026:0625-1",{"_key":58},"SUSE-SU-2026:0626-1",{"_key":60},"SUSE-SU-2026:0627-1",{"_key":62},"SUSE-SU-2026:0629-1",{"_key":64},"SUSE-SU-2026:0631-1",{"_key":66},"SUSE-SU-2026:0838-1",{"_key":68},"SUSE-SU-2026:20007-1",{"_key":70},"SUSE-SU-2026:20028-1",{"_key":72},"SUSE-SU-2026:20043-1",{"_key":74},"SUSE-SU-2026:20071-1",{"_key":76},"SUSE-SU-2026:0010-1",{"_key":78},"OPENSUSE-SU-2025:15838-1",{"_key":80},"OPENSUSE-SU-2026:10110-1",{"_key":82},"OPENSUSE-SU-2026:20015-1",{"_key":84},"SUSE-SU-2026:1030-1",{"_key":86},"SUSE-SU-2026:1027-1",{"_key":88},"SUSE-SU-2026:1012-1",{"_key":90},"SUSE-SU-2026:1026-1",{"_key":92},"SUSE-SU-2026:1014-1",{"_key":94},"SUSE-SU-2026:1028-1",{"_key":96},"SUSE-SU-2026:1029-1",{"_key":98},"SUSE-SU-2026:20820-1",{"_key":100},"SUSE-SU-2026:20825-1",{"_key":102},"OPENSUSE-SU-2026:20412-1",{"_key":104},"SUSE-SU-2026:1146-1",{"_key":106},"SUSE-SU-2026:1141-1",{"_key":108},"SUSE-SU-2026:1142-1",{"_key":110},"SUSE-SU-2026:1149-1",{"_key":112},"SUSE-SU-2026:1140-1",{"_key":114},"SUSE-SU-2026:1148-1",{"_key":116},"MGASA-2026-0092",{"_key":118},"UBUNTU-CVE-2025-67724",{"_key":120},"USN-7950-1",{"_key":122},"DEBIAN-CVE-2025-67724",[],[125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155],{"_key":56},{"_key":58},{"_key":60},{"_key":62},{"_key":64},{"_key":66},{"_key":68},{"_key":70},{"_key":72},{"_key":74},{"_key":76},{"_key":78},{"_key":80},{"_key":82},{"_key":84},{"_key":86},{"_key":88},{"_key":90},{"_key":92},{"_key":94},{"_key":96},{"_key":98},{"_key":100},{"_key":102},{"_key":104},{"_key":106},{"_key":108},{"_key":110},{"_key":112},{"_key":114},{"_key":116},"2025-12-12T05:36:59.992Z","2025-12-18T18:53:38.061Z","Analyzed",{"cisa_kev":160,"cisa_ransomware":160,"cisa_vendor":9,"epss_severity":161,"epss_score":162,"severity":163,"severity_score":164,"severity_version":165,"severity_source":166,"severity_vector":167,"severity_status":158},false,"low",0.00035,"medium",6.1,"v3.1","nvd","CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",[169,177,183],{"url":170,"sources":171,"tags":173},"https://github.com/tornadoweb/tornado/security/advisories/GHSA-pr2v-jx2c-wg9f",[172,166],"cve.org",[174,175,176],"X Refsource CONFIRM","Mitigation","Vendor Advisory",{"url":178,"sources":179,"tags":180},"https://github.com/tornadoweb/tornado/commit/9c163aebeaad9e6e7d28bac1f33580eb00b0e421",[172,166],[181,182],"X Refsource MISC","Patch",{"url":184,"sources":185,"tags":186},"https://github.com/tornadoweb/tornado/releases/tag/v6.5.3",[172,166],[181,187],"Release Notes",[],{"date":190,"score":162,"percentile":191},"2026-06-05",0.10852,[193,197,200,202,205,208,211,215,218,221,224,227,231,234,237,240,243,246,249,252,255,258,261,264,267,270,272,275,278,281,284,287,290,294,297,300,303,306,309,312,315,318,321,324,327,330,333,336,339,342,345,348,350,354,357,360,364,367,370,373,376,379,382,385,388,390,393,396,399,403,406,409,412,415,418,421,424,427,430,433,436,439,442,445,448,451,454,457,460,463],{"date":194,"score":195,"percentile":196},"2025-12-12",0.00028,0.07398,{"date":198,"score":195,"percentile":199},"2025-12-13",0.07409,{"date":201,"score":195,"percentile":196},"2025-12-14",{"date":203,"score":195,"percentile":204},"2025-12-15",0.07343,{"date":206,"score":195,"percentile":207},"2025-12-16",0.07378,{"date":209,"score":195,"percentile":210},"2025-12-17",0.07467,{"date":212,"score":213,"percentile":214},"2025-12-18",0.00031,0.08432,{"date":216,"score":213,"percentile":217},"2025-12-19",0.08418,{"date":219,"score":213,"percentile":220},"2025-12-20",0.08413,{"date":222,"score":213,"percentile":223},"2025-12-21",0.08353,{"date":225,"score":213,"percentile":226},"2025-12-22",0.08305,{"date":228,"score":229,"percentile":230},"2025-12-23",0.00037,0.10806,{"date":232,"score":229,"percentile":233},"2025-12-24",0.10814,{"date":235,"score":229,"percentile":236},"2025-12-25",0.10893,{"date":238,"score":229,"percentile":239},"2025-12-26",0.10887,{"date":241,"score":229,"percentile":242},"2025-12-27",0.10892,{"date":244,"score":229,"percentile":245},"2025-12-28",0.10891,{"date":247,"score":229,"percentile":248},"2025-12-29",0.10854,{"date":250,"score":229,"percentile":251},"2025-12-30",0.10832,{"date":253,"score":229,"percentile":254},"2025-12-31",0.10883,{"date":256,"score":229,"percentile":257},"2026-01-01",0.10925,{"date":259,"score":229,"percentile":260},"2026-01-02",0.10923,{"date":262,"score":229,"percentile":263},"2026-01-03",0.1089,{"date":265,"score":229,"percentile":266},"2026-01-04",0.10819,{"date":268,"score":229,"percentile":269},"2026-01-05",0.10778,{"date":271,"score":229,"percentile":269},"2026-01-06",{"date":273,"score":229,"percentile":274},"2026-01-07",0.10809,{"date":276,"score":229,"percentile":277},"2026-01-08",0.10861,{"date":279,"score":229,"percentile":280},"2026-01-09",0.10888,{"date":282,"score":229,"percentile":283},"2026-01-10",0.10897,{"date":285,"score":229,"percentile":286},"2026-01-11",0.10872,{"date":288,"score":229,"percentile":289},"2026-01-12",0.10847,{"date":291,"score":292,"percentile":293},"2026-01-13",0.0004,0.12134,{"date":295,"score":292,"percentile":296},"2026-01-14",0.12195,{"date":298,"score":292,"percentile":299},"2026-01-15",0.12197,{"date":301,"score":292,"percentile":302},"2026-01-16",0.12247,{"date":304,"score":292,"percentile":305},"2026-01-17",0.1226,{"date":307,"score":292,"percentile":308},"2026-01-18",0.12207,{"date":310,"score":292,"percentile":311},"2026-01-19",0.1215,{"date":313,"score":292,"percentile":314},"2026-01-20",0.12133,{"date":316,"score":292,"percentile":317},"2026-01-21",0.12112,{"date":319,"score":292,"percentile":320},"2026-01-22",0.12093,{"date":322,"score":292,"percentile":323},"2026-01-23",0.12179,{"date":325,"score":292,"percentile":326},"2026-01-24",0.12235,{"date":328,"score":292,"percentile":329},"2026-01-25",0.12188,{"date":331,"score":292,"percentile":332},"2026-01-26",0.12132,{"date":334,"score":292,"percentile":335},"2026-01-27",0.12119,{"date":337,"score":292,"percentile":338},"2026-01-28",0.12105,{"date":340,"score":292,"percentile":341},"2026-01-29",0.12079,{"date":343,"score":292,"percentile":344},"2026-01-30",0.12096,{"date":346,"score":292,"percentile":347},"2026-01-31",0.12115,{"date":349,"score":292,"percentile":347},"2026-02-01",{"date":351,"score":352,"percentile":353},"2026-02-02",0.0006,0.18893,{"date":355,"score":352,"percentile":356},"2026-02-03",0.18871,{"date":358,"score":352,"percentile":359},"2026-02-04",0.18849,{"date":361,"score":362,"percentile":363},"2026-02-05",0.0005,0.1559,{"date":365,"score":362,"percentile":366},"2026-02-06",0.15612,{"date":368,"score":362,"percentile":369},"2026-02-07",0.15637,{"date":371,"score":362,"percentile":372},"2026-02-08",0.15588,{"date":374,"score":362,"percentile":375},"2026-02-09",0.15556,{"date":377,"score":362,"percentile":378},"2026-02-10",0.15481,{"date":380,"score":362,"percentile":381},"2026-02-11",0.15521,{"date":383,"score":362,"percentile":384},"2026-02-12",0.1555,{"date":386,"score":362,"percentile":387},"2026-02-13",0.15549,{"date":389,"score":362,"percentile":378},"2026-02-14",{"date":391,"score":362,"percentile":392},"2026-02-15",0.15463,{"date":394,"score":362,"percentile":395},"2026-02-16",0.15421,{"date":397,"score":362,"percentile":398},"2026-02-17",0.15389,{"date":400,"score":401,"percentile":402},"2026-02-18",0.00058,0.18094,{"date":404,"score":401,"percentile":405},"2026-02-19",0.1816,{"date":407,"score":401,"percentile":408},"2026-02-20",0.18164,{"date":410,"score":401,"percentile":411},"2026-02-21",0.18192,{"date":413,"score":401,"percentile":414},"2026-02-22",0.18191,{"date":416,"score":401,"percentile":417},"2026-02-23",0.18154,{"date":419,"score":401,"percentile":420},"2026-02-24",0.18099,{"date":422,"score":401,"percentile":423},"2026-02-25",0.18067,{"date":425,"score":401,"percentile":426},"2026-02-26",0.18049,{"date":428,"score":401,"percentile":429},"2026-02-27",0.18066,{"date":431,"score":401,"percentile":432},"2026-02-28",0.18047,{"date":434,"score":401,"percentile":435},"2026-03-01",0.18052,{"date":437,"score":401,"percentile":438},"2026-03-02",0.17993,{"date":440,"score":401,"percentile":441},"2026-03-03",0.17963,{"date":443,"score":401,"percentile":444},"2026-03-04",0.17899,{"date":446,"score":401,"percentile":447},"2026-03-05",0.17964,{"date":449,"score":401,"percentile":450},"2026-03-06",0.17947,{"date":452,"score":401,"percentile":453},"2026-03-07",0.17933,{"date":455,"score":401,"percentile":456},"2026-03-08",0.17893,{"date":458,"score":401,"percentile":459},"2026-03-09",0.17874,{"date":461,"score":401,"percentile":462},"2026-03-10",0.1786,{"date":464,"score":401,"percentile":465},"2026-03-11",0.17885,[467,474],{"source":172,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":468,"cvss_v4_0":9},{"baseScore":469,"baseSeverity":470,"vectorString":471,"impactScore":472,"exploitabilityScore":473},5.4,"MEDIUM","CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",4.2,7.2,{"source":166,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":475,"cvss_v4_0":9},{"baseScore":164,"baseSeverity":470,"vectorString":167,"impactScore":476,"exploitabilityScore":473},4.5,[478],{"ecosystem":9,"name":479,"vendor":480,"product":479,"cpe_part":481,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":482},"tornado","tornadoweb","a",[483],{"version":484,"is_range":485,"range_type":486,"version_start":9,"version_start_type":9,"version_end":487,"version_end_type":488,"fixed_in":9},"lt6.5.3",true,"cpe","6.5.3","excluding"]