Fluid Attacks Database

Description

A denial of service flaw has been discovered in the Tornado networking library. In Tornado, a single maliciously crafted HTTP request can block the server's event loop for an extended period, caused by the HTTPHeaders.add method. The function accumulates values using string concatenation when the same header name is repeated, causing a Denial of Service (DoS). Due to Python string immutability, each concatenation copies the entire string, resulting in O(n²) time complexity.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	python-tornado	=6.4.2-3 \|\| =6.5.2-1 \|\| =6.5.2-2 \|\| =6.5.2-3 \|\| >=0 <6.5.4-0.1	6.5.4-0.1
debian 12	python-tornado	=6.2.0-3 \|\| =6.2.0-3+deb12u1 \|\| =6.2.0-3+deb12u2 \|\| =6.2.0-3+deb12u3 \|\| >=0 <6.2.0-3+deb12u4	6.2.0-3+deb12u4
debian 11	python-tornado	=6.1.0-1 \|\| =6.1.0-1+deb11u1 \|\| =6.1.0-1+deb11u2 \|\| >=0 <6.1.0-1+deb11u3	6.1.0-1+deb11u3
debian 13	python-tornado	=6.4.2-3 \|\| =6.4.2-3+deb13u1 \|\| >=0 <6.4.2-3+deb13u2	6.4.2-3+deb13u2
rpm rhel9	keylime-verifier	-	-
rpm rhel9	pcs	-	-
rpm rhel8	pcs	<0:0.10.18-2.el8_10.8	0:0.10.18-2.el8_10.8
rpm rhel8.4	pcs	<0:0.10.8-1.el8_4.10	0:0.10.8-1.el8_4.10
rpm rhel10	keylime-registrar	-	-
rpm rhel9	keylime-registrar	-	-

1-10 of 11

Aliases

1. CVE-2025-677252. NVD-2025-677253. OSV-DEBIAN-2025-677254. OSV-2025-677255. SECURITY-TRACKER-CVE-2025-67725

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.