CVE-2025-67725 – A denial-of-service vulnerability in Tornado we... (How to Fix)

📋 TL;DR

A denial-of-service vulnerability in Tornado web framework allows a single malicious HTTP request to block the server's event loop by exploiting inefficient string concatenation in the HTTPHeaders.add method. This affects Tornado versions 6.5.2 and below, potentially causing service disruption. The severity depends on configuration, with higher risk when max_header_size is increased beyond the default 64KB.

💻 Affected Systems

Products:

Tornado

Versions: 6.5.2 and below

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Risk is higher when max_header_size configuration is increased beyond default 64KB. Default configuration is still vulnerable but with lower impact.

📦 What is this software?

Tornado by Tornadoweb

View all CVEs affecting Tornado →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability for extended periods due to event loop blocking, potentially affecting all users of the vulnerable Tornado application.

🟠

Likely Case

Degraded performance or temporary service disruption for the affected Tornado instance, with recovery after the malicious request completes.

🟢

If Mitigated

Minimal impact if max_header_size remains at default 64KB, though some performance degradation may still occur.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending a single HTTP request with repeated headers to trigger the inefficient string concatenation. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.5.3

Vendor Advisory: https://github.com/tornadoweb/tornado/security/advisories/GHSA-c98p-7wgm-6p64

Restart Required: Yes

Instructions:

1. Update Tornado to version 6.5.3 or higher using pip: pip install --upgrade tornado>=6.5.3
2. Restart all Tornado applications and services
3. Verify the update was successful

🔧 Temporary Workarounds

Rate Limiting

all

Implement rate limiting or request throttling to limit the impact of malicious requests

Header Size Restriction

all

Ensure max_header_size remains at default 64KB or lower to reduce impact

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block requests with excessive repeated headers
Deploy Tornado behind a reverse proxy with request filtering capabilities

🔍 How to Verify

Check if Vulnerable:

Check Tornado version: python -c "import tornado; print(tornado.version)" - if version is 6.5.2 or below, system is vulnerable

Check Version:

python -c "import tornado; print(tornado.version)"

Verify Fix Applied:

After patching, verify version is 6.5.3 or higher using the same command

📡 Detection & Monitoring

Log Indicators:

Unusually long request processing times
Multiple requests with same header names repeated many times
Event loop blocking warnings

Network Indicators:

HTTP requests with same header repeated hundreds or thousands of times
Sudden increase in request size without corresponding response

SIEM Query:

source="tornado" AND (duration>10s OR header_count>100)

📊 Metadata

CVE ID: CVE-2025-67725

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

EPSS Score: 0.21% exploit probability (42.9th percentile)

Published: December 12, 2025

Last Updated: December 22, 2025

🔗 References

https://github.com/tornadoweb/tornado/commit/771472cfdaeebc0d89a9cc46e249f8891a6b29cd Patch
https://github.com/tornadoweb/tornado/releases/tag/v6.5.3 Release Notes
https://github.com/tornadoweb/tornado/security/advisories/GHSA-c98p-7wgm-6p64 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-67725, you might also want to check these: