Fluid Attacks Database

Description

An unescaped input flaw has been discovered in the Tornado networking library. In Tornado, the supplied reason phrase is used unescaped in HTTP headers (where it could be used for header injection) or in HTML in the default error page (where it could be used for XSS) and can be exploited by passing untrusted or malicious data into the reason argument. Used by both RequestHandler.set_status and tornado.web.HTTPError, the argument is designed to allow applications to pass custom "reason" phrases (the "Not Found" in HTTP/1.1 404 Not Found) to the HTTP status line (mainly for non-standard status codes).

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	python-tornado	=6.4.2-3 \|\| =6.5.2-1 \|\| =6.5.2-2 \|\| =6.5.2-3 \|\| >=0 <6.5.4-0.1	6.5.4-0.1
debian 12	python-tornado	=6.2.0-3 \|\| =6.2.0-3+deb12u1 \|\| =6.2.0-3+deb12u2 \|\| =6.2.0-3+deb12u3 \|\| >=0 <6.2.0-3+deb12u4	6.2.0-3+deb12u4
debian 13	python-tornado	=6.4.2-3 \|\| =6.4.2-3+deb13u1 \|\| >=0 <6.4.2-3+deb13u2	6.4.2-3+deb13u2
debian 11	python-tornado	=6.1.0-1 \|\| =6.1.0-1+deb11u1 \|\| =6.1.0-1+deb11u2 \|\| >=0 <6.1.0-1+deb11u3	6.1.0-1+deb11u3
rpm rhel9	keylime-verifier	-	-
rpm rhel10	keylime-registrar	-	-
rpm rhel9	keylime-registrar	-	-
rpm rhel10	keylime-verifier	-	-

Aliases

1. CVE-2025-677242. NVD-2025-677243. OSV-DEBIAN-2025-677244. OSV-2025-677245. SECURITY-TRACKER-CVE-2025-67724

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.