CVE-2025-67724

NameCVE-2025-67724
DescriptionTornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, the supplied reason phrase is used unescaped in HTTP headers (where it could be used for header injection) or in HTML in the default error page (where it could be used for XSS) and can be exploited by passing untrusted or malicious data into the reason argument. Used by both RequestHandler.set_status and tornado.web.HTTPError, the argument is designed to allow applications to pass custom "reason" phrases (the "Not Found" in HTTP/1.1 404 Not Found) to the HTTP status line (mainly for non-standard status codes). This issue is fixed in version 6.5.3.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1122660

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-tornado (PTS)bullseye6.1.0-1vulnerable
bullseye (security)6.1.0-1+deb11u2vulnerable
bookworm, bookworm (security)6.2.0-3+deb12u2vulnerable
trixie6.4.2-3vulnerable
forky, sid6.5.2-3vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-tornadosource(unstable)(unfixed)1122660

Notes

https://github.com/tornadoweb/tornado/security/advisories/GHSA-pr2v-jx2c-wg9f
Fixed by: https://github.com/tornadoweb/tornado/commit/9c163aebeaad9e6e7d28bac1f33580eb00b0e421 (v6.5.3)
Search for package or bug name: Reporting problems