CVE-2025-67724

Medium CVSS: 5.4

Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, the supplied reason phrase is used unescaped in HTTP headers (where it could be used for header injection) or in HTML in the default error page (where it could be used for XSS) and can be exploited by passing untrusted or malicious data into the reason argument. Used by both RequestHandler.set_status and tornado.web.HTTPError, the argument is designed to allow applications to pass custom "reason" phrases (the "Not Found" in HTTP/1.1 404 Not Found) to the HTTP status line (mainly for non-standard status codes). This issue is fixed in version 6.5.3.

Vendor

Tornadoweb

Product

Tornado

CWE

CWE-79

Yayın Tarihi

2025-12-12 06:15:41

Güncelleme

2025-12-22 18:49:24

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-79 Tornado MEDIUM Tornadoweb 2025

Referanslar

https://github.com/tornadoweb/tornado/commit/9c163aebeaad9e6e7d28bac1f33580eb00b0e421 https://github.com/tornadoweb/tornado/releases/tag/v6.5.3 https://github.com/tornadoweb/tornado/security/advisories/GHSA-pr2v-jx2c-wg9f

Benzer Kayıtlar

High

CVE-2026-31958

Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only l…

High

CVE-2025-67726

Tornado is a Python web framework and asynchronous networking library. Versions 6.5.2 and below use an inefficient algor…

High

CVE-2025-67725

Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, a single maliciously…

High

CVE-2025-47287

Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/form-data`` parser enc…