CVE-2025-67726 – CVE-2025-67726 is a denial-of-service vulnerabi... (How to Fix)

Q: What is the severity of CVE-2025-67726?

CVE-2025-67726 has a CVSS score of 7.5 (HIGH). CVE-2025-67726 is a denial-of-service vulnerability in Tornado web framework where inefficient parsing of HTTP header parameters allows attackers to cause quadratic CPU consumption. This affects Tornado servers running versions 6.5.2 and below, potentially making them unresponsive to legitimate traffic.

📋 TL;DR

CVE-2025-67726 is a denial-of-service vulnerability in Tornado web framework where inefficient parsing of HTTP header parameters allows attackers to cause quadratic CPU consumption. This affects Tornado servers running versions 6.5.2 and below, potentially making them unresponsive to legitimate traffic.

💻 Affected Systems

Products:

Tornado web framework

Versions: Versions 6.5.2 and below

Operating Systems: All operating systems running Python

Default Config Vulnerable: ⚠️ Yes

Notes: All Tornado servers using affected versions are vulnerable regardless of configuration. The vulnerability exists in httputil.py's _parseparam function.

📦 What is this software?

Tornado by Tornadoweb

View all CVEs affecting Tornado →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server unavailability for extended periods due to CPU exhaustion from a single malicious request, affecting all users and services on the same Tornado instance.

🟠

Likely Case

Degraded server performance and intermittent service disruptions when attackers send crafted requests with many parameters in Content-Disposition headers.

🟢

If Mitigated

Minimal impact with proper rate limiting, request filtering, and updated Tornado version.

🌐 Internet-Facing: HIGH - Internet-facing Tornado servers are directly exposed to crafted requests from untrusted sources.

🏢 Internal Only: MEDIUM - Internal servers still vulnerable but attack surface reduced to internal network access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending HTTP requests with malicious Content-Disposition headers containing many parameters. No authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.5.3

Vendor Advisory: https://github.com/tornadoweb/tornado/security/advisories/GHSA-jhmp-mqwm-3gq8

Restart Required: Yes

Instructions:

1. Update Tornado using pip: 'pip install --upgrade tornado==6.5.3' 2. Restart all Tornado services 3. Verify the update with 'pip show tornado'

🔧 Temporary Workarounds

Rate limiting requests

all

Implement request rate limiting to prevent multiple malicious requests from overwhelming the server

# Use nginx rate limiting: limit_req_zone $binary_remote_addr zone=tornado:10m rate=10r/s;
# Add to location block: limit_req zone=tornado burst=20 nodelay;

Request filtering with WAF

all

Block requests with excessive Content-Disposition parameters using web application firewall rules

# Example ModSecurity rule: SecRule REQUEST_HEADERS:Content-Disposition "@rx ;.*;.*;.*;.*;.*" "id:1001,phase:1,deny,status:400"

🧯 If You Can't Patch

Implement strict request size limits and parameter count validation
Deploy Tornado behind reverse proxy with request filtering and anomaly detection

🔍 How to Verify

Check if Vulnerable:

Check Tornado version with 'python -c "import tornado; print(tornado.version)"' and verify it's 6.5.2 or below

Check Version:

python -c "import tornado; print('Tornado version:', tornado.version)"

Verify Fix Applied:

Confirm version is 6.5.3 or higher with 'pip show tornado | grep Version'

📡 Detection & Monitoring

Log Indicators:

Unusually long request processing times
High CPU usage spikes
Requests with Content-Disposition headers containing many semicolons

Network Indicators:

HTTP requests with abnormally large Content-Disposition headers
Multiple requests with similar patterns causing server slowdown

SIEM Query:

source="tornado.logs" | where request_time > 10s | where http_user_agent contains suspicious patterns

📊 Metadata

CVE ID: CVE-2025-67726

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

EPSS Score: 0.08% exploit probability (24.3th percentile)

Published: December 12, 2025

Last Updated: December 22, 2025

🔗 References

https://github.com/tornadoweb/tornado/commit/771472cfdaeebc0d89a9cc46e249f8891a6b29cd Patch
https://github.com/tornadoweb/tornado/releases/tag/v6.5.3 Release Notes
https://github.com/tornadoweb/tornado/security/advisories/GHSA-jhmp-mqwm-3gq8 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-67726, you might also want to check these: