Home > Vulnerability Database > CVE-2025-67725

Mend.io Vulnerability Database

CVE-2025-67725

Good to know:

Date: December 12, 2025

Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, a single maliciously crafted HTTP request can block the server's event loop for an extended period, caused by the HTTPHeaders.add method. The function accumulates values using string concatenation when the same header name is repeated, causing a Denial of Service (DoS). Due to Python string immutability, each concatenation copies the entire string, resulting in O(n²) time complexity. The severity can vary from high if max_header_size has been increased from its default, to low if it has its default value of 64KB. This issue is fixed in version 6.5.3.

Severity Score

7.5

Related Resources (5)

Url: https://github.com/tornadoweb/tornado/commit/771472cfdaeebc0d89a9cc46e249f8891a6b29cd

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-67725

Url: https://github.com/tornadoweb/tornado/security/advisories/GHSA-c98p-7wgm-6p64

Url: https://github.com/tornadoweb/tornado/releases/tag/v6.5.3

Url: https://www.mend.io/vulnerability-database/CVE-2025-67725

Severity Score

7.5

Weakness Type (CWE)

Uncontrolled Resource Consumption

CWE-400

Top Fix

Upgrade Version

Upgrade to version tornado - 6.5.3;tornado - 6.5.3;https://github.com/tornadoweb/tornado.git - v6.5.3

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-67725

Good to know:

Date: December 12, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?