Source: python-tornado Version: 6.5.2-3 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for python-tornado. CVE-2025-67726[0]: | Tornado is a Python web framework and asynchronous networking | library. Versions 6.5.2 and below use an inefficient algorithm when | parsing parameters for HTTP header values, potentially causing a | DoS. The _parseparam function in httputil.py is used to parse | specific HTTP header values, such as those in multipart/form-data | and repeatedly calls string.count() within a nested loop while | processing quoted semicolons. If an attacker sends a request with a | large number of maliciously crafted parameters in a Content- | Disposition header, the server's CPU usage increases quadratically | (O(n²)) during parsing. Due to Tornado's single event loop | architecture, a single malicious request can cause the entire server | to become unresponsive for an extended period. This issue is fixed | in version 6.5.3. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-67726 https://www.cve.org/CVERecord?id=CVE-2025-67726 [1] https://github.com/tornadoweb/tornado/security/advisories/GHSA-jhmp-mqwm-3gq8 [2] https://github.com/tornadoweb/tornado/commit/771472cfdaeebc0d89a9cc46e249f8891a6b29cd Please adjust the affected versions in the BTS as needed. Regards, Salvatore
