CVE-2025-67726

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-67726
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-67726.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-67726
Aliases
  • GHSA-jhmp-mqwm-3gq8
Downstream
Published
2025-12-12T06:13:51.336Z
Modified
2025-12-24T04:54:30.519343Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Tornado is Vulnerable to Quadratic DoS via Crafted Multipart Parameters
Details

Tornado is a Python web framework and asynchronous networking library. Versions 6.5.2 and below use an inefficient algorithm when parsing parameters for HTTP header values, potentially causing a DoS. The _parseparam function in httputil.py is used to parse specific HTTP header values, such as those in multipart/form-data and repeatedly calls string.count() within a nested loop while processing quoted semicolons. If an attacker sends a request with a large number of maliciously crafted parameters in a Content-Disposition header, the server's CPU usage increases quadratically (O(n²)) during parsing. Due to Tornado's single event loop architecture, a single malicious request can cause the entire server to become unresponsive for an extended period. This issue is fixed in version 6.5.3.

Database specific 
{
    "cwe_ids": [
        "CWE-400",
        "CWE-834"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/67xxx/CVE-2025-67726.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/tornadoweb/tornado

Affected ranges

Type
GIT
Repo
https://github.com/tornadoweb/tornado
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
38014ddb51520ff7762c1d55535925dba2cdbe31

Affected versions

v1.*

v1.0.0
v1.1.0
v1.1.1
v1.2.0
v1.2.1

v2.*

v2.0.0
v2.1.0
v2.1.1
v2.2.0
v2.2.1
v2.3.0
v2.4.0
v2.4.1

v3.*

v3.0.0
v3.0.1
v3.0.2
v3.1.0
v3.1.1
v3.2.0
v3.2.0b1
v3.2.0b2
v3.2.1
v3.2.2

v4.*

v4.0.0
v4.0.0b1
v4.0.0b2
v4.0.0b3
v4.0.1
v4.0.2
v4.1.0
v4.1.0b1
v4.1.0b2
v4.2.0
v4.2.0b1
v4.2.1
v4.3.0
v4.3.0b1
v4.3.0b2
v4.4.0
v4.4.0b1
v4.4.1
v4.4.2
v4.4.3
v4.5.0
v4.5.1
v4.5.2
v4.5.3

v5.*

v5.0.0
v5.0.1
v5.1.0
v5.1.0b1

v6.*

v6.0.0
v6.0.0b1
v6.1.0
v6.1.0b1
v6.1.0b2
v6.2.0
v6.2.0b1
v6.2.0b2
v6.3.0
v6.3.0b1
v6.3.1
v6.4.0
v6.4.0b1
v6.4.1
v6.5.0
v6.5.0b1
v6.5.1
v6.5.2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-67726.json"