HTTP Header Injection and XSS Vulnerability in Tornado Web Framework
CVE-2025-67724

5.4MEDIUM

Key Information:

Vendor

Tornadoweb

Status
Tornado
Vendor
CVE Published:
12 December 2025

What is CVE-2025-67724?

The Tornado web framework, utilized in Python applications, presents a vulnerability that arises when unescaped reason phrases are included in HTTP headers and error pages. This issue allows attackers to submit untrusted data, which can lead to header injection attacks or the execution of cross-site scripting (XSS) attacks. The vulnerability affects versions 6.5.2 and earlier. It is advisable to upgrade to version 6.5.3, where the issue has been promptly addressed.

Affected Version(s)

tornado < 6.5.3

References

https://github.com/tornadoweb/tornado/security/advisories...
x_refsource_CONFIRM
https://github.com/tornadoweb/tornado/commit/9c163aebeaad...
x_refsource_MISC
https://github.com/tornadoweb/tornado/releases/tag/v6.5.3
x_refsource_MISC

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-67724 : HTTP Header Injection and XSS Vulnerability in Tornado Web Framework