Fluid Attacks Database

Description

A denial of service flaw has been discovered in the Tornado networking library. Affected versions of Tornado us an inefficient algorithm when parsing parameters for HTTP header values, potentially causing a DoS. The _parseparam function in httputil.py is used to parse specific HTTP header values, such as those in multipart/form-data and repeatedly calls string.count() within a nested loop while processing quoted semicolons. If an attacker sends a request with a large number of maliciously crafted parameters in a Content-Disposition header, the server's CPU usage increases quadratically (O(n²)) during parsing. Due to Tornado's single event loop architecture, a single malicious request can cause the entire server to become unresponsive for an extended period.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	python-tornado	=6.2.0-3 \|\| =6.2.0-3+deb12u1 \|\| =6.2.0-3+deb12u2 \|\| =6.2.0-3+deb12u3 \|\| >=0 <6.2.0-3+deb12u4	6.2.0-3+deb12u4
debian 11	python-tornado	=6.1.0-1 \|\| =6.1.0-1+deb11u1 \|\| =6.1.0-1+deb11u2 \|\| >=0 <6.1.0-1+deb11u3	6.1.0-1+deb11u3
debian 13	python-tornado	=6.4.2-3 \|\| =6.4.2-3+deb13u1 \|\| >=0 <6.4.2-3+deb13u2	6.4.2-3+deb13u2
debian 14	python-tornado	=6.4.2-3 \|\| =6.5.2-1 \|\| =6.5.2-2 \|\| =6.5.2-3 \|\| >=0 <6.5.4-0.1	6.5.4-0.1
rpm rhel9	keylime-registrar	-	-
rpm rhel8.4	pcs	<0:0.10.8-1.el8_4.10	0:0.10.8-1.el8_4.10
rpm rhel10	keylime-registrar	-	-
rpm rhel10	keylime-verifier	-	-
rpm rhel9	keylime-verifier	-	-
rpm rhel8	pcs	<0:0.10.18-2.el8_10.8	0:0.10.18-2.el8_10.8

1-10 of 11

Aliases

1. CVE-2025-677262. NVD-2025-677263. OSV-DEBIAN-2025-677264. OSV-2025-677265. SECURITY-TRACKER-CVE-2025-67726

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.