CVE-2025-67724

EUVD-2025-203032

12.12.2025, 06:15

Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, the supplied reason phrase is used unescaped in HTTP headers (where it could be used for header injection) or in HTML in the default error page (where it could be used for XSS) and can be exploited by passing untrusted or malicious data into the reason argument. Used by both RequestHandler.set_status and tornado.web.HTTPError, the argument is designed to allow applications to pass custom "reason" phrases (the "Not Found" in HTTP/1.1 404 Not Found) to the HTTP status line (mainly for non-standard status codes). This issue is fixed in version 6.5.3.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.4 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 10%

Affected Products (NVD)

Vendor	Product	Version
tornadoweb	tornado	𝑥 < 6.5.3

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

python-tornado

bookworm	6.2.0-3+deb12u4 fixed
bookworm (security)	6.2.0-3+deb12u4 fixed
bullseye	vulnerable
bullseye (security)	6.1.0-1+deb11u4 fixed
forky	6.5.5-1 fixed
sid	6.5.5-2 fixed
trixie	6.4.2-3+deb13u2 fixed
trixie (security)	6.4.2-3+deb13u2 fixed

openSUSE / SLES Releases

openSUSE Product

Release

python3-salt

suse enterprise sap 15 SP5	3006.0-150500.4.68.2 fixed
suse enterprise sap 15 SP6	3006.0-150500.4.68.2 fixed
suse enterprise server 15 SP4	3006.0-150400.8.94.2 fixed
suse enterprise server 15 SP5	3006.0-150500.4.68.2 fixed
suse enterprise server 15 SP6	3006.0-150500.4.68.2 fixed

python3-tornado

suse enterprise server 15 SP4

4.5.3-150000.3.16.1

fixed

python311-salt

suse enterprise sap 15 SP5	3006.0-150500.4.68.2 fixed
suse enterprise sap 15 SP6	3006.0-150500.4.68.2 fixed
suse enterprise server 15 SP4	3006.0-150400.8.94.2 fixed
suse enterprise server 15 SP5	3006.0-150500.4.68.2 fixed
suse enterprise server 15 SP6	3006.0-150500.4.68.2 fixed

python311-tornado6

suse enterprise desktop 15 SP7	6.3.2-150400.9.12.1 fixed
suse enterprise sap 15 SP5	6.3.2-150400.9.12.1 fixed
suse enterprise sap 15 SP6	6.3.2-150400.9.12.1 fixed
suse enterprise sap 15 SP7	6.3.2-150400.9.12.1 fixed
suse enterprise server 15 SP4	6.3.2-150400.9.12.1 fixed
suse enterprise server 15 SP5	6.3.2-150400.9.12.1 fixed
suse enterprise server 15 SP6	6.3.2-150400.9.12.1 fixed
suse enterprise server 15 SP7	6.3.2-150400.9.12.1 fixed

salt

suse enterprise sap 15 SP5	3006.0-150500.4.68.2 fixed
suse enterprise sap 15 SP6	3006.0-150500.4.68.2 fixed
suse enterprise server 15 SP4	3006.0-150400.8.94.2 fixed
suse enterprise server 15 SP5	3006.0-150500.4.68.2 fixed
suse enterprise server 15 SP6	3006.0-150500.4.68.2 fixed

salt-api

suse enterprise sap 15 SP5	3006.0-150500.4.68.2 fixed
suse enterprise sap 15 SP6	3006.0-150500.4.68.2 fixed
suse enterprise server 15 SP4	3006.0-150400.8.94.2 fixed
suse enterprise server 15 SP5	3006.0-150500.4.68.2 fixed
suse enterprise server 15 SP6	3006.0-150500.4.68.2 fixed

salt-bash-completion

suse enterprise sap 15 SP5	3006.0-150500.4.68.2 fixed
suse enterprise sap 15 SP6	3006.0-150500.4.68.2 fixed
suse enterprise server 15 SP4	3006.0-150400.8.94.2 fixed
suse enterprise server 15 SP5	3006.0-150500.4.68.2 fixed
suse enterprise server 15 SP6	3006.0-150500.4.68.2 fixed

salt-cloud

suse enterprise sap 15 SP5	3006.0-150500.4.68.2 fixed
suse enterprise sap 15 SP6	3006.0-150500.4.68.2 fixed
suse enterprise server 15 SP4	3006.0-150400.8.94.2 fixed
suse enterprise server 15 SP5	3006.0-150500.4.68.2 fixed
suse enterprise server 15 SP6	3006.0-150500.4.68.2 fixed

salt-doc

suse enterprise sap 15 SP5	3006.0-150500.4.68.2 fixed
suse enterprise sap 15 SP6	3006.0-150500.4.68.2 fixed
suse enterprise server 15 SP4	3006.0-150400.8.94.2 fixed
suse enterprise server 15 SP5	3006.0-150500.4.68.2 fixed
suse enterprise server 15 SP6	3006.0-150500.4.68.2 fixed

salt-fish-completion

suse enterprise sap 15 SP5	3006.0-150500.4.68.2 fixed
suse enterprise sap 15 SP6	3006.0-150500.4.68.2 fixed
suse enterprise server 15 SP4	3006.0-150400.8.94.2 fixed
suse enterprise server 15 SP5	3006.0-150500.4.68.2 fixed
suse enterprise server 15 SP6	3006.0-150500.4.68.2 fixed

salt-master

suse enterprise sap 15 SP5	3006.0-150500.4.68.2 fixed
suse enterprise sap 15 SP6	3006.0-150500.4.68.2 fixed
suse enterprise server 15 SP4	3006.0-150400.8.94.2 fixed
suse enterprise server 15 SP5	3006.0-150500.4.68.2 fixed
suse enterprise server 15 SP6	3006.0-150500.4.68.2 fixed

salt-minion

suse enterprise sap 15 SP5	3006.0-150500.4.68.2 fixed
suse enterprise sap 15 SP6	3006.0-150500.4.68.2 fixed
suse enterprise server 15 SP4	3006.0-150400.8.94.2 fixed
suse enterprise server 15 SP5	3006.0-150500.4.68.2 fixed
suse enterprise server 15 SP6	3006.0-150500.4.68.2 fixed

salt-proxy

suse enterprise sap 15 SP5	3006.0-150500.4.68.2 fixed
suse enterprise sap 15 SP6	3006.0-150500.4.68.2 fixed
suse enterprise server 15 SP4	3006.0-150400.8.94.2 fixed
suse enterprise server 15 SP5	3006.0-150500.4.68.2 fixed
suse enterprise server 15 SP6	3006.0-150500.4.68.2 fixed

salt-ssh

suse enterprise sap 15 SP5	3006.0-150500.4.68.2 fixed
suse enterprise sap 15 SP6	3006.0-150500.4.68.2 fixed
suse enterprise server 15 SP4	3006.0-150400.8.94.2 fixed
suse enterprise server 15 SP5	3006.0-150500.4.68.2 fixed
suse enterprise server 15 SP6	3006.0-150500.4.68.2 fixed

salt-standalone-formulas-configuration

suse enterprise sap 15 SP5	3006.0-150500.4.68.2 fixed
suse enterprise sap 15 SP6	3006.0-150500.4.68.2 fixed
suse enterprise server 15 SP4	3006.0-150400.8.94.2 fixed
suse enterprise server 15 SP5	3006.0-150500.4.68.2 fixed
suse enterprise server 15 SP6	3006.0-150500.4.68.2 fixed

salt-syndic

suse enterprise sap 15 SP5	3006.0-150500.4.68.2 fixed
suse enterprise sap 15 SP6	3006.0-150500.4.68.2 fixed
suse enterprise server 15 SP4	3006.0-150400.8.94.2 fixed
suse enterprise server 15 SP5	3006.0-150500.4.68.2 fixed
suse enterprise server 15 SP6	3006.0-150500.4.68.2 fixed

salt-transactional-update

suse enterprise server 15 SP4

3006.0-150400.8.94.2

fixed

salt-zsh-completion

suse enterprise sap 15 SP5	3006.0-150500.4.68.2 fixed
suse enterprise sap 15 SP6	3006.0-150500.4.68.2 fixed
suse enterprise server 15 SP4	3006.0-150400.8.94.2 fixed
suse enterprise server 15 SP5	3006.0-150500.4.68.2 fixed
suse enterprise server 15 SP6	3006.0-150500.4.68.2 fixed

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://github.com/tornadoweb/tornado/commit/9c163aebeaad9e6e7d28bac1f33580eb00b0e421

https://github.com/tornadoweb/tornado/releases/tag/v6.5.3

https://github.com/tornadoweb/tornado/security/advisories/GHSA-pr2v-jx2c-wg9f