CVE-2025-67724 is a cross-site scripting (XSS) vulnerability identified in the Tornado web framework, a popular Python-based asynchronous networking library and web server framework. The issue exists in versions 6.5.2 and earlier, where the 'reason' phrase parameter used in HTTP status responses is not properly sanitized or escaped before being incorporated into HTTP headers and the default HTML error pages. This 'reason' phrase is intended to provide a textual explanation for HTTP status codes (e.g., 'Not Found' in a 404 response) and can be set via the RequestHandler.set_status method or by raising tornado.web.HTTPError with a custom reason. Because the input is directly reflected without neutralization, an attacker can supply malicious JavaScript code in the reason argument, which will then be executed in the victim's browser when viewing the error page, constituting a reflected XSS attack. Additionally, unescaped input in HTTP headers could lead to header injection attacks, potentially enabling HTTP response splitting or other header-based exploits. The vulnerability requires no authentication but does require user interaction (visiting a crafted URL). The CVSS 3.1 base score is 5.4 (medium), reflecting limited confidentiality and integrity impacts without availability impact. The issue was reserved on December 10, 2025, and published on December 12, 2025, with no known exploits in the wild. The vulnerability is addressed in Tornado version 6.5.3 by properly escaping the reason phrase in both HTTP headers and HTML error pages.

For European organizations, this vulnerability poses a moderate risk primarily to web applications built on Tornado versions 6.5.2 and earlier. Successful exploitation could allow attackers to execute arbitrary JavaScript in users' browsers, potentially leading to session hijacking, theft of sensitive information, or manipulation of web content, thereby compromising confidentiality and integrity. While the vulnerability does not affect system availability, the reputational damage and potential data breaches could be significant, especially for organizations handling sensitive user data or operating critical services. Since Tornado is widely used in Python web development, sectors such as finance, healthcare, government, and e-commerce in Europe could be targeted. The lack of known exploits currently reduces immediate risk, but the ease of exploitation and the common use of Tornado in asynchronous web applications necessitate prompt remediation to prevent future attacks.

European organizations should immediately upgrade all Tornado deployments to version 6.5.3 or later to ensure the vulnerability is patched. For applications where immediate upgrade is not feasible, implement strict input validation and sanitization on any user-supplied data that could be passed to the 'reason' parameter, ensuring that it does not contain HTML or JavaScript code. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Review and harden HTTP header handling to prevent header injection and response splitting attacks. Conduct thorough security testing, including automated scanning and manual code reviews, focusing on error handling and status code generation paths. Educate developers about safe usage of Tornado's set_status and HTTPError methods to avoid passing untrusted data directly. Monitor web application logs for suspicious requests containing unusual reason phrases. Finally, maintain an incident response plan to quickly address any detected exploitation attempts.