Denial of Service Vulnerability in Tornado Web Framework by Tornado
CVE-2025-67725

7.5HIGH

Key Information:

Vendor

Tornadoweb

Status
Tornado
Vendor
CVE Published:
12 December 2025

What is CVE-2025-67725?

Tornado, a popular Python web framework, is susceptible to a Denial of Service (DoS) vulnerability found in versions 6.5.2 and earlier. Attackers can exploit this by sending a specially crafted HTTP request that overwhelms the server’s event loop. This issue arises due to inefficient handling of repeated header names within the HTTPHeaders.add method, leading to significant performance degradation due to O(n²) time complexity. The issue is particularly severe when the max_header_size exceeds its default of 64KB. This vulnerability is resolved in Tornado version 6.5.3.

Affected Version(s)

tornado < 6.5.3

References

https://github.com/tornadoweb/tornado/security/advisories...
x_refsource_CONFIRM
https://github.com/tornadoweb/tornado/commit/771472cfdaee...
x_refsource_MISC
https://github.com/tornadoweb/tornado/releases/tag/v6.5.3
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-67725 : Denial of Service Vulnerability in Tornado Web Framework by Tornado