CVE-2025-67725: Tornado is Vulnerable to Quadratic DoS via Repeated Header Coalescing
Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, a single maliciously crafted HTTP request can block the server's event loop for an extended period, caused by the HTTPHeaders.add method. The function accumulates values using string concatenation when the same header name is repeated, causing a Denial of Service (DoS). Due to Python string immutability, each concatenation copies the entire string, resulting in O(n²) time complexity. The severity can vary from high if maxheadersize has been increased from its default, to low if it has its default value of 64KB. This issue is fixed in version 6.5.3.
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of CVE-2025-67725?
CVE-2025-67725 has a medium severity level as it can block the server's event loop due to specially crafted HTTP requests.
How do I fix CVE-2025-67725?
To fix CVE-2025-67725, upgrade your Tornado framework to version 6.5.3 or later.
What versions of Tornado are affected by CVE-2025-67725?
CVE-2025-67725 affects Tornado versions 6.5.2 and below.
Can CVE-2025-67725 be exploited remotely?
Yes, CVE-2025-67725 can be exploited remotely through malicious HTTP requests.
What function in Tornado is responsible for the vulnerability in CVE-2025-67725?
The vulnerability in CVE-2025-67725 is caused by the HTTPHeaders.add method.