Source: python-tornado Version: 6.5.2-3 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for python-tornado. CVE-2025-67725[0]: | Tornado is a Python web framework and asynchronous networking | library. In versions 6.5.2 and below, a single maliciously crafted | HTTP request can block the server's event loop for an extended | period, caused by the HTTPHeaders.add method. The function | accumulates values using string concatenation when the same header | name is repeated, causing a Denial of Service (DoS). Due to Python | string immutability, each concatenation copies the entire string, | resulting in O(n²) time complexity. The severity can vary from high | if max_header_size has been increased from its default, to low if it | has its default value of 64KB. This issue is fixed in version 6.5.3. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-67725 https://www.cve.org/CVERecord?id=CVE-2025-67725 [1] https://github.com/tornadoweb/tornado/security/advisories/GHSA-c98p-7wgm-6p64 [2] https://github.com/tornadoweb/tornado/commit/771472cfdaeebc0d89a9cc46e249f8891a6b29cd Please adjust the affected versions in the BTS as needed. Regards, Salvatore
