CVE-2025-67724

Published: Dec 12, 2025Modified: Dec 22, 2025

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, the supplied reason phrase is used unescaped in HTTP headers (where it could be used for header injection) or in HTML in the default error page (where it could be used for XSS) and can be exploited by passing untrusted or malicious data into the reason argument. Used by both RequestHandler.set_status and tornado.web.HTTPError, the argument is designed to allow applications to pass custom "reason" phrases (the "Not Found" in HTTP/1.1 404 Not Found) to the HTTP status line (mainly for non-standard status codes). This issue is fixed in version 6.5.3.

Affected (1)

Products: Tornadoweb: Tornado

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Tornadoweb Tornado	Before 6.5.3

Related CWEs

Improper Neutralization of HTTP Headers for Scripting Syntax

The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (3)

https://github.com/tornadoweb/tornado/commit/9c163aebeaad9e6e7d28bac1f33580eb00b0e421

Source: security-advisories@github.com

Patch

https://github.com/tornadoweb/tornado/releases/tag/v6.5.3

Source: security-advisories@github.com

Release Notes

https://github.com/tornadoweb/tornado/security/advisories/GHSA-pr2v-jx2c-wg9f

Source: security-advisories@github.com

MitigationVendor Advisory

Timeline

No history available yet.