DEBIAN-CVE-2025-67724
Advisory lineage Upstream: 1 Downstream: 0
Upstream
Published: 12 Dec 2025, 06:15
Last modified:28 Apr 2026, 20:30
Vulnerability Summary
Overall Risk (default)
low
24/100 CVSS Score
6.1 MEDIUM
3.1 (osv_debian)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
12 Dec 2025, 06:15
Published
Vulnerability first disclosed
28 Apr 2026, 20:30
Last Modified
Vulnerability information updated
Description
Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, the supplied reason phrase is used unescaped in HTTP headers (where it could be used for header injection) or in HTML in the default error page (where it could be used for XSS) and can be exploited by passing untrusted or malicious data into the reason argument. Used by both RequestHandler.set_status and tornado.web.HTTPError, the argument is designed to allow applications to pass custom "reason" phrases (the "Not Found" in HTTP/1.1 404 Not Found) to the HTTP status line (mainly for non-standard status codes). This issue is fixed in version 6.5.3.
CVSS Metrics
- v3.1•MEDIUM•Score: 6.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected Systems
- debian•python-tornado
all | all | < 6.1.0-1+deb11u3 | < 6.2.0-3+deb12u4 | < 6.4.2-3+deb13u2 | < 6.5.4-0.1