DEBIAN-CVE-2025-67724

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2025-67724

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-67724.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2025-67724

Upstream

CVE-2025-67724

Published

2025-12-12T06:15:41.213Z

Modified

2026-01-09T03:18:17.800221Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, the supplied reason phrase is used unescaped in HTTP headers (where it could be used for header injection) or in HTML in the default error page (where it could be used for XSS) and can be exploited by passing untrusted or malicious data into the reason argument. Used by both RequestHandler.set_status and tornado.web.HTTPError, the argument is designed to allow applications to pass custom "reason" phrases (the "Not Found" in HTTP/1.1 404 Not Found) to the HTTP status line (mainly for non-standard status codes). This issue is fixed in version 6.5.3.

References

https://security-tracker.debian.org/tracker/CVE-2025-67724

Affected packages

Debian:11 / python-tornado

Package

Name: python-tornado
Purl: pkg:deb/debian/python-tornado?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

6.*

6.1.0-1

6.1.0-1+deb11u1

6.1.0-1+deb11u2

6.1.0-2

6.1.0-3

6.2.0-1

6.2.0-2

6.2.0-3

6.3.2-1

6.4.0-1

6.4.0-2

6.4.1-1

6.4.1-2

6.4.1-3

6.4.2-1

6.4.2-2

6.4.2-3

6.5.2-1

6.5.2-2

6.5.2-3

6.5.4-0.1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-67724.json"

Debian:12 / python-tornado

Package

Name: python-tornado
Purl: pkg:deb/debian/python-tornado?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

6.*

6.2.0-3

6.2.0-3+deb12u1

6.2.0-3+deb12u2

6.3.2-1

6.4.0-1

6.4.0-2

6.4.1-1

6.4.1-2

6.4.1-3

6.4.2-1

6.4.2-2

6.4.2-3

6.5.2-1

6.5.2-2

6.5.2-3

6.5.4-0.1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-67724.json"

Debian:13 / python-tornado

Package

Name: python-tornado
Purl: pkg:deb/debian/python-tornado?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

6.*

6.4.2-3

6.5.2-1

6.5.2-2

6.5.2-3

6.5.4-0.1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-67724.json"

Debian:14 / python-tornado

Package

Name: python-tornado
Purl: pkg:deb/debian/python-tornado?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.5.4-0.1

Affected versions

6.*

6.4.2-3

6.5.2-1

6.5.2-2

6.5.2-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-67724.json"