CVE-2025-67726: CWE-834: Excessive Iteration in tornadoweb tornado
Tornado is a Python web framework and asynchronous networking library. Versions 6.5.2 and below use an inefficient algorithm when parsing parameters for HTTP header values, potentially causing a DoS. The _parseparam function in httputil.py is used to parse specific HTTP header values, such as those in multipart/form-data and repeatedly calls string.count() within a nested loop while processing quoted semicolons. If an attacker sends a request with a large number of maliciously crafted parameters in a Content-Disposition header, the server's CPU usage increases quadratically (O(n²)) during parsing. Due to Tornado's single event loop architecture, a single malicious request can cause the entire server to become unresponsive for an extended period. This issue is fixed in version 6.5.3.
AI Analysis
Technical Summary
CVE-2025-67726 is a denial-of-service vulnerability affecting Tornado, a popular Python web framework and asynchronous networking library, in versions 6.5.2 and below. The root cause lies in the _parseparam function within httputil.py, which is responsible for parsing parameters in HTTP header values such as those found in multipart/form-data Content-Disposition headers. This function uses a nested loop that repeatedly calls string.count() to process quoted semicolons, resulting in an O(n²) time complexity relative to the number of parameters. An attacker can craft a malicious HTTP request containing a large number of parameters with quoted semicolons in the Content-Disposition header, triggering excessive CPU consumption during parsing. Because Tornado operates on a single event loop, this CPU exhaustion blocks the processing of all other requests, effectively causing a denial-of-service condition. The vulnerability requires no authentication or user interaction, making it remotely exploitable over the network. While no known exploits have been reported in the wild, the vulnerability is rated with a CVSS 3.1 score of 7.5 (high severity) due to its potential to disrupt service availability. The issue is resolved in Tornado version 6.5.3, where the parsing algorithm has been optimized to prevent excessive iteration.
Potential Impact
For European organizations using Tornado versions prior to 6.5.3, this vulnerability poses a significant risk of service disruption through denial-of-service attacks. Since Tornado is widely used in web applications and asynchronous services, especially in sectors like finance, healthcare, and public services, an attacker could remotely cause server unresponsiveness, leading to downtime, degraded user experience, and potential loss of business continuity. The single-threaded event loop architecture exacerbates the impact, as one malicious request can halt all processing. While confidentiality and integrity are not directly affected, the availability impact can indirectly affect trust and operational reliability. Organizations relying on Tornado-based services exposed to the internet are particularly vulnerable. The absence of known exploits suggests a window for proactive mitigation before active exploitation emerges.
Mitigation Recommendations
European organizations should immediately upgrade all Tornado deployments to version 6.5.3 or later to apply the fix for this vulnerability. Where immediate upgrading is not feasible, implement web application firewalls (WAFs) or reverse proxies with rules to detect and block HTTP requests containing unusually large or suspicious Content-Disposition headers with excessive parameters or quoted semicolons. Rate limiting and request size restrictions can reduce the risk of exploitation. Monitoring server CPU usage and request patterns can help detect potential exploitation attempts early. Additionally, consider isolating Tornado services behind load balancers or service meshes that can absorb or filter malicious traffic. Developers should review any custom parsing logic for similar inefficiencies and apply best practices for input validation and parsing optimization. Regular vulnerability scanning and patch management processes must be enforced to prevent exploitation of this and similar vulnerabilities.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain
CVE-2025-67726: CWE-834: Excessive Iteration in tornadoweb tornado
Description
Tornado is a Python web framework and asynchronous networking library. Versions 6.5.2 and below use an inefficient algorithm when parsing parameters for HTTP header values, potentially causing a DoS. The _parseparam function in httputil.py is used to parse specific HTTP header values, such as those in multipart/form-data and repeatedly calls string.count() within a nested loop while processing quoted semicolons. If an attacker sends a request with a large number of maliciously crafted parameters in a Content-Disposition header, the server's CPU usage increases quadratically (O(n²)) during parsing. Due to Tornado's single event loop architecture, a single malicious request can cause the entire server to become unresponsive for an extended period. This issue is fixed in version 6.5.3.
AI-Powered Analysis
Technical Analysis
CVE-2025-67726 is a denial-of-service vulnerability affecting Tornado, a popular Python web framework and asynchronous networking library, in versions 6.5.2 and below. The root cause lies in the _parseparam function within httputil.py, which is responsible for parsing parameters in HTTP header values such as those found in multipart/form-data Content-Disposition headers. This function uses a nested loop that repeatedly calls string.count() to process quoted semicolons, resulting in an O(n²) time complexity relative to the number of parameters. An attacker can craft a malicious HTTP request containing a large number of parameters with quoted semicolons in the Content-Disposition header, triggering excessive CPU consumption during parsing. Because Tornado operates on a single event loop, this CPU exhaustion blocks the processing of all other requests, effectively causing a denial-of-service condition. The vulnerability requires no authentication or user interaction, making it remotely exploitable over the network. While no known exploits have been reported in the wild, the vulnerability is rated with a CVSS 3.1 score of 7.5 (high severity) due to its potential to disrupt service availability. The issue is resolved in Tornado version 6.5.3, where the parsing algorithm has been optimized to prevent excessive iteration.
Potential Impact
For European organizations using Tornado versions prior to 6.5.3, this vulnerability poses a significant risk of service disruption through denial-of-service attacks. Since Tornado is widely used in web applications and asynchronous services, especially in sectors like finance, healthcare, and public services, an attacker could remotely cause server unresponsiveness, leading to downtime, degraded user experience, and potential loss of business continuity. The single-threaded event loop architecture exacerbates the impact, as one malicious request can halt all processing. While confidentiality and integrity are not directly affected, the availability impact can indirectly affect trust and operational reliability. Organizations relying on Tornado-based services exposed to the internet are particularly vulnerable. The absence of known exploits suggests a window for proactive mitigation before active exploitation emerges.
Mitigation Recommendations
European organizations should immediately upgrade all Tornado deployments to version 6.5.3 or later to apply the fix for this vulnerability. Where immediate upgrading is not feasible, implement web application firewalls (WAFs) or reverse proxies with rules to detect and block HTTP requests containing unusually large or suspicious Content-Disposition headers with excessive parameters or quoted semicolons. Rate limiting and request size restrictions can reduce the risk of exploitation. Monitoring server CPU usage and request patterns can help detect potential exploitation attempts early. Additionally, consider isolating Tornado services behind load balancers or service meshes that can absorb or filter malicious traffic. Developers should review any custom parsing logic for similar inefficiencies and apply best practices for input validation and parsing optimization. Regular vulnerability scanning and patch management processes must be enforced to prevent exploitation of this and similar vulnerabilities.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-12-10T19:25:20.819Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 693bc3e35f3fdafda42e6cf9
Added to database: 12/12/2025, 7:27:31 AM
Last enriched: 12/19/2025, 7:49:38 AM
Last updated: 2/7/2026, 7:46:34 PM
Views: 154
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-2109: Improper Authorization in jsbroks COCO Annotator
MediumCVE-2026-2108: Denial of Service in jsbroks COCO Annotator
MediumCVE-2026-2107: Improper Authorization in yeqifu warehouse
MediumCVE-2026-2106: Improper Authorization in yeqifu warehouse
MediumCVE-2026-2105: Improper Authorization in yeqifu warehouse
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.