Denial of Service Vulnerability in Tornado Python Web Framework
CVE-2025-67726

7.5HIGH

Key Information:

Vendor

Tornadoweb

Status
Tornado
Vendor
CVE Published:
12 December 2025

What is CVE-2025-67726?

Tornado, a popular Python web framework, contains a vulnerability in versions 6.5.2 and earlier that allows remote attackers to exploit inefficient parameter parsing in HTTP header values. Specifically, the issue lies in the _parseparam function in httputil.py, where the method inefficiently handles quotes within parameters using string.count() within a nested loop. An attacker can craft a request containing numerous malicious parameters in the Content-Disposition header, leading to a significant increase in CPU usage due to quadratic time complexity (O(n²)), effectively causing the server to become unresponsive for an extended period due to Tornado's single event loop architecture. This flaw has been resolved in version 6.5.3.

Affected Version(s)

tornado < 6.5.3

References

https://github.com/tornadoweb/tornado/security/advisories...
x_refsource_CONFIRM
https://github.com/tornadoweb/tornado/commit/771472cfdaee...
x_refsource_MISC
https://github.com/tornadoweb/tornado/releases/tag/v6.5.3
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-67726 : Denial of Service Vulnerability in Tornado Python Web Framework