Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2025-67726

Good to know:

icon
icon
icon

Date: December 12, 2025

Tornado is a Python web framework and asynchronous networking library. Versions 6.5.2 and below use an inefficient algorithm when parsing parameters for HTTP header values, potentially causing a DoS. The _parseparam function in httputil.py is used to parse specific HTTP header values, such as those in multipart/form-data and repeatedly calls string.count() within a nested loop while processing quoted semicolons. If an attacker sends a request with a large number of maliciously crafted parameters in a Content-Disposition header, the server's CPU usage increases quadratically (O(n²)) during parsing. Due to Tornado's single event loop architecture, a single malicious request can cause the entire server to become unresponsive for an extended period. This issue is fixed in version 6.5.3.

Severity Score

Related Resources (5)

https://github.com/tornadoweb/tornado/security/advisories/GHSA-jhmp-mqwm-3gq8
https://github.com/tornadoweb/tornado/commit/771472cfdaeebc0d89a9cc46e249f8891a6b29cd
https://nvd.nist.gov/vuln/detail/CVE-2025-67726
https://github.com/tornadoweb/tornado/releases/tag/v6.5.3
https://www.mend.io/vulnerability-database/CVE-2025-67726

Severity Score

Weakness Type (CWE)

Uncontrolled Resource Consumption

CWE-400

Excessive Iteration

CWE-834

Top Fix

icon

Upgrade Version

Upgrade to version tornado - 6.5.3;tornado - 6.5.3;https://github.com/tornadoweb/tornado.git - v0.6.2

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): NONE
Availability (A): HIGH

Do you need more information?

Contact Us