vulnerability
Ubuntu: USN-7950-1 (CVE-2025-67724): Tornado vulnerabilities
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 6 | (AV:N/AC:M/Au:N/C:P/I:P/A:N) | Dec 12, 2025 | Jan 9, 2026 | Jan 12, 2026 |
Description
It was discovered that Tornado incorrectly handled special characters in
HTTP headers. An attacker could possibly use this issue to execute a cross-
site scripting (XSS) attack. This issue only affected Ubuntu 20.04 LTS,
Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, Ubuntu 25.04, and Ubuntu 25.10.
(CVE-2025-67724)
It was discovered that Tornado incorrectly handled repeated HTTP headers.
An attacker could possibly use this issue to cause Tornado to use excessive
resources, causing a denial of service. (CVE-2025-67725)
It was discovered that Tornado incorrectly handled parsing of certain HTTP
header values. An attacker could possibly use this issue to cause Tornado
to use excessive resources, causing a denial of service. (CVE-2025-67726)
Solutions
References
- CVE-2025-67724
- https://attackerkb.com/topics/CVE-2025-67724
- CWE-644
- CWE-79
- UBUNTU-USN-7950-1
- URL-https://github.com/tornadoweb/tornado/commit/9c163aebeaad9e6e7d28bac1f33580eb00b0e421
- URL-https://github.com/tornadoweb/tornado/releases/tag/v6.5.3
- URL-https://github.com/tornadoweb/tornado/security/advisories/GHSA-pr2v-jx2c-wg9f
- URL-https://ubuntu.com/security/notices/USN-7950-1
- URL-https://www.cve.org/CVERecord?id=CVE-2025-67724
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.