CVE-2025-67724

EUVD-2025-203032

12.12.2025, 06:15

Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, the supplied reason phrase is used unescaped in HTTP headers (where it could be used for header injection) or in HTML in the default error page (where it could be used for XSS) and can be exploited by passing untrusted or malicious data into the reason argument. Used by both RequestHandler.set_status and tornado.web.HTTPError, the argument is designed to allow applications to pass custom "reason" phrases (the "Not Found" in HTTP/1.1 404 Not Found) to the HTTP status line (mainly for non-standard status codes). This issue is fixed in version 6.5.3.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.4 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
tornadoweb	tornado	𝑥 < 6.5.3

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

python-tornado

bookworm	vulnerable
bookworm (security)	6.2.0-3+deb12u4 fixed
bullseye	vulnerable
bullseye (security)	6.1.0-1+deb11u4 fixed
forky	6.5.4-1 fixed
sid	6.5.5-1 fixed
trixie	vulnerable
trixie (security)	6.4.2-3+deb13u2 fixed

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://github.com/tornadoweb/tornado/commit/9c163aebeaad9e6e7d28bac1f33580eb00b0e421

https://github.com/tornadoweb/tornado/releases/tag/v6.5.3

https://github.com/tornadoweb/tornado/security/advisories/GHSA-pr2v-jx2c-wg9f