CVE-2025-67724 affects Tornado, a popular Python web framework and asynchronous networking library, in versions 6.5.2 and earlier. The vulnerability stems from improper escaping of the 'reason' phrase used in HTTP status lines, which is passed unescaped into HTTP headers and HTML error pages. Specifically, the reason argument in RequestHandler.set_status and tornado.web.HTTPError allows applications to specify custom reason phrases (e.g., the 'Not Found' in '404 Not Found'). Because this input is not sanitized, an attacker can inject malicious content that results in cross-site scripting (CWE-79) when rendered in the default error page, or HTTP header injection (CWE-644) when included in HTTP headers. This can be exploited by supplying crafted input to the reason parameter, potentially leading to execution of arbitrary scripts in the victim's browser or manipulation of HTTP headers. The vulnerability requires no privileges and no authentication but does require user interaction (e.g., a victim visiting a maliciously crafted URL). The CVSS v3.1 base score is 5.4 (medium severity), reflecting limited confidentiality and integrity impacts and no availability impact. The issue was fixed in Tornado version 6.5.3 by properly escaping the reason phrase before inclusion in headers and HTML. No known exploits have been reported in the wild to date.

For European organizations, this vulnerability poses a risk primarily to web applications built on Tornado versions below 6.5.3 that utilize custom HTTP status reason phrases. Successful exploitation can lead to cross-site scripting attacks, enabling attackers to steal session cookies, perform actions on behalf of users, or deliver malicious payloads. HTTP header injection could also facilitate cache poisoning or redirect attacks. While the impact on confidentiality and integrity is limited, such attacks can undermine user trust and lead to data leakage or unauthorized actions. Organizations in sectors with high web exposure—such as finance, government, healthcare, and critical infrastructure—are at greater risk. Additionally, compliance with GDPR and other data protection regulations may be impacted if personal data is compromised through XSS attacks. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits post-disclosure.

European organizations should immediately upgrade Tornado to version 6.5.3 or later to ensure the vulnerability is patched. For applications where immediate upgrade is not feasible, developers should implement input validation and sanitization on any user-supplied data passed to the reason argument, ensuring that special characters are properly escaped before inclusion in HTTP headers or HTML content. Employing Content Security Policy (CSP) headers can help mitigate the impact of potential XSS attacks by restricting script execution. Web Application Firewalls (WAFs) should be configured to detect and block suspicious inputs targeting the reason parameter. Regular security testing, including automated scanning and manual code reviews focusing on HTTP status handling, is recommended. Monitoring for unusual HTTP header manipulations or error page behaviors can provide early detection of exploitation attempts. Finally, educating developers about secure coding practices related to HTTP response construction is essential to prevent similar issues.