CVE-2025-67725

Advisory lineage Upstream: 0 Downstream: 40

Downstream

DEBIAN-CVE-2025-67725 MGASA-2026-0092 OPENSUSE-SU-2025:15838-1 OPENSUSE-SU-2026:10110-1 OPENSUSE-SU-2026:20015-1 OPENSUSE-SU-2026:20412-1

Analyzed

Published: 12 Dec 2025, 05:49

Last modified:18 Dec 2025, 18:51

Vulnerability Summary

Overall Risk (default)

medium

30/100

CVSS Score

7.5 HIGH

v3.1 (cve.org)

EPSS Score

0.21% LOW

0% probability -0.06%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

12 Dec 2025, 05:49

Published

Vulnerability first disclosed

18 Dec 2025, 18:51

Last Modified

Vulnerability information updated

Description

Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, a single maliciously crafted HTTP request can block the server's event loop for an extended period, caused by the HTTPHeaders.add method. The function accumulates values using string concatenation when the same header name is repeated, causing a Denial of Service (DoS). Due to Python string immutability, each concatenation copies the entire string, resulting in O(n²) time complexity. The severity can vary from high if max_header_size has been increased from its default, to low if it has its default value of 64KB. This issue is fixed in version 6.5.3.

CVSS Metrics

v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 0.21%• Percentile: 44%

Techniques & Countermeasures

CWE-400•Uncontrolled Resource Consumption
The product does not properly control the allocation and maintenance of a limited resource.

Affected Systems

tornadoweb•tornado
< 6.5.3