CVE-2025-67725

Name of the Vulnerable Software and Affected Versions Tornado versions 6.5.2 and below

Description Tornado, a Python web framework and asynchronous networking library, is susceptible to a Denial of Service (DoS) condition. A single, specially crafted HTTP request can halt the server’s event loop for a prolonged duration. This occurs because the HTTPHeaders.add function repeatedly concatenates strings when the same header name appears multiple times. Python’s string immutability causes each concatenation to copy the entire string, leading to O(n²) time complexity. The impact ranges from high to low, depending on the max header size configuration; a larger value increases the severity. The issue stems from the way headers are processed, specifically within the add function.

Recommendations Versions prior to 6.5.3 should be updated to version 6.5.3 or later.