Source: python-tornado Version: 6.5.2-3 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for python-tornado. CVE-2025-67724[0]: | Tornado is a Python web framework and asynchronous networking | library. In versions 6.5.2 and below, the supplied reason phrase is | used unescaped in HTTP headers (where it could be used for header | injection) or in HTML in the default error page (where it could be | used for XSS) and can be exploited by passing untrusted or malicious | data into the reason argument. Used by both | RequestHandler.set_status and tornado.web.HTTPError, the argument is | designed to allow applications to pass custom "reason" phrases (the | "Not Found" in HTTP/1.1 404 Not Found) to the HTTP status line | (mainly for non-standard status codes). This issue is fixed in | version 6.5.3. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-67724 https://www.cve.org/CVERecord?id=CVE-2025-67724 [1] https://github.com/tornadoweb/tornado/security/advisories/GHSA-pr2v-jx2c-wg9f [2] https://github.com/tornadoweb/tornado/commit/9c163aebeaad9e6e7d28bac1f33580eb00b0e421 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
