CVE-2025-67724: Tornado vulnerable to Header Injection and XSS via reason argument

Published Dec 12, 2025
·
Updated

Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, the supplied reason phrase is used unescaped in HTTP headers (where it could be used for header injection) or in HTML in the default error page (where it could be used for XSS) and can be exploited by passing untrusted or malicious data into the reason argument. Used by both RequestHandler.setstatus and tornado.web.HTTPError, the argument is designed to allow applications to pass custom "reason" phrases (the "Not Found" in HTTP/1.1 404 Not Found) to the HTTP status line (mainly for non-standard status codes). This issue is fixed in version 6.5.3.

Affected Software

2 affected components
pypi/tornado<=6.5.2
tornadoweb tornado<6.5.3

Remediation

Patch Available

https://github.com/tornadoweb/tornado/commit/9c163aebeaad9e6e7d28bac1f33580eb00b0e421

Event History

Dec 12, 2025
CVE Published
via MITRE·05:36 AM
Data Sourced
via MITRE·05:36 AM
DescriptionSeverityWeakness
Data Sourced
via NVD·06:15 AM
RemedyDescriptionSeverityWeaknessAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2025-67724?

CVE-2025-67724 has a high severity rating due to the risk of header injection and XSS vulnerabilities.

2

How do I fix CVE-2025-67724?

To fix CVE-2025-67724, upgrade to Tornado version 6.5.3 or later.

3

What systems are affected by CVE-2025-67724?

CVE-2025-67724 affects Tornado versions 6.5.2 and below.

4

What types of vulnerabilities are present in CVE-2025-67724?

CVE-2025-67724 includes header injection vulnerabilities and potential XSS in the default error page.

5

Is there a workaround for CVE-2025-67724?

There is no official workaround recommended; the best protection is to upgrade to a secure version.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203