Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    Related vulnerabilities

    CVE-2025-67724 (GCVE-0-2025-67724)

    Vulnerability from cvelistv5 – Published: 2025-12-12 05:36 – Updated: 2025-12-18 18:53
    VLAI
    Title
    Tornado vulnerable to Header Injection and XSS via reason argument
    Summary
    Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, the supplied reason phrase is used unescaped in HTTP headers (where it could be used for header injection) or in HTML in the default error page (where it could be used for XSS) and can be exploited by passing untrusted or malicious data into the reason argument. Used by both RequestHandler.set_status and tornado.web.HTTPError, the argument is designed to allow applications to pass custom "reason" phrases (the "Not Found" in HTTP/1.1 404 Not Found) to the HTTP status line (mainly for non-standard status codes). This issue is fixed in version 6.5.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    • CWE-644 - Improper Neutralization of HTTP Headers for Scripting Syntax
    Assigner
    Impacted products
    Vendor Product Version
    tornadoweb tornado Affected: < 6.5.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-67724",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-18T18:53:21.062311Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-18T18:53:38.061Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "tornado",
              "vendor": "tornadoweb",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 6.5.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, the supplied reason phrase is used unescaped in HTTP headers (where it could be used for header injection) or in HTML in the default error page (where it could be used for XSS) and can be exploited by passing untrusted or malicious data into the reason argument. Used by both RequestHandler.set_status and tornado.web.HTTPError, the argument is designed to allow applications to pass custom \"reason\" phrases (the \"Not Found\" in HTTP/1.1 404 Not Found) to the HTTP status line (mainly for non-standard status codes). This issue is fixed in version 6.5.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-644",
                  "description": "CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-12T05:36:59.992Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-pr2v-jx2c-wg9f",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-pr2v-jx2c-wg9f"
            },
            {
              "name": "https://github.com/tornadoweb/tornado/commit/9c163aebeaad9e6e7d28bac1f33580eb00b0e421",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/tornadoweb/tornado/commit/9c163aebeaad9e6e7d28bac1f33580eb00b0e421"
            },
            {
              "name": "https://github.com/tornadoweb/tornado/releases/tag/v6.5.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/tornadoweb/tornado/releases/tag/v6.5.3"
            }
          ],
          "source": {
            "advisory": "GHSA-pr2v-jx2c-wg9f",
            "discovery": "UNKNOWN"
          },
          "title": "Tornado vulnerable to Header Injection and XSS via reason argument"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-67724",
        "datePublished": "2025-12-12T05:36:59.992Z",
        "dateReserved": "2025-12-10T19:25:20.819Z",
        "dateUpdated": "2025-12-18T18:53:38.061Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    PYSEC-2025-265

    Vulnerability from pysec - Published: 2025-12-12 06:15 - Updated: 2026-07-13 05:52
    VLAI
    Details

    Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, the supplied reason phrase is used unescaped in HTTP headers (where it could be used for header injection) or in HTML in the default error page (where it could be used for XSS) and can be exploited by passing untrusted or malicious data into the reason argument. Used by both RequestHandler.set_status and tornado.web.HTTPError, the argument is designed to allow applications to pass custom "reason" phrases (the "Not Found" in HTTP/1.1 404 Not Found) to the HTTP status line (mainly for non-standard status codes). This issue is fixed in version 6.5.3.

    Impacted products
    Name purl
    tornado pkg:pypi/tornado

    {
      "affected": [
        {
          "ecosystem_specific": {},
          "package": {
            "ecosystem": "PyPI",
            "name": "tornado",
            "purl": "pkg:pypi/tornado"
          },
          "ranges": [
            {
              "events": [
                {
                  "introduced": "0"
                },
                {
                  "fixed": "6.5.3"
                }
              ],
              "type": "ECOSYSTEM"
            }
          ],
          "versions": [
            "0.2",
            "1.0",
            "1.1",
            "1.1.1",
            "1.2",
            "1.2.1",
            "2.0",
            "2.1",
            "2.1.1",
            "2.2",
            "2.2.1",
            "2.3",
            "2.4",
            "2.4.1",
            "3.0",
            "3.0.1",
            "3.0.2",
            "3.1",
            "3.1.1",
            "3.2",
            "3.2.1",
            "3.2.2",
            "4.0",
            "4.0.1",
            "4.0.2",
            "4.1",
            "4.1b2",
            "4.2",
            "4.2.1",
            "4.2b1",
            "4.3",
            "4.3b1",
            "4.3b2",
            "4.4",
            "4.4.1",
            "4.4.2",
            "4.4.3",
            "4.4b1",
            "4.5",
            "4.5.1",
            "4.5.2",
            "4.5.3",
            "4.5b1",
            "4.5b2",
            "5.0",
            "5.0.1",
            "5.0.2",
            "5.0a1",
            "5.0b1",
            "5.1",
            "5.1.1",
            "5.1b1",
            "6.0",
            "6.0.1",
            "6.0.2",
            "6.0.3",
            "6.0.4",
            "6.0a1",
            "6.0b1",
            "6.1",
            "6.1b1",
            "6.1b2",
            "6.2",
            "6.2b1",
            "6.2b2",
            "6.3",
            "6.3.1",
            "6.3.2",
            "6.3.3",
            "6.3b1",
            "6.4",
            "6.4.1",
            "6.4.2",
            "6.4b1",
            "6.5",
            "6.5.1",
            "6.5.2",
            "6.5b1"
          ]
        }
      ],
      "aliases": [
        "CVE-2025-67724",
        "GHSA-pr2v-jx2c-wg9f"
      ],
      "details": "Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, the supplied reason phrase is used unescaped in HTTP headers (where it could be used for header injection) or in HTML in the default error page (where it could be used for XSS) and can be exploited by passing untrusted or malicious data into the reason argument. Used by both RequestHandler.set_status and tornado.web.HTTPError, the argument is designed to allow applications to pass custom \"reason\" phrases (the \"Not Found\" in HTTP/1.1 404 Not Found) to the HTTP status line (mainly for non-standard status codes). This issue is fixed in version 6.5.3.",
      "id": "PYSEC-2025-265",
      "modified": "2026-07-13T05:52:13.827727Z",
      "published": "2025-12-12T06:15:41.213Z",
      "references": [
        {
          "type": "ADVISORY",
          "url": "https://github.com/tornadoweb/tornado/releases/tag/v6.5.3"
        },
        {
          "type": "ADVISORY",
          "url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-pr2v-jx2c-wg9f"
        },
        {
          "type": "FIX",
          "url": "https://github.com/tornadoweb/tornado/commit/9c163aebeaad9e6e7d28bac1f33580eb00b0e421"
        }
      ],
      "severity": [
        {
          "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "type": "CVSS_V3"
        }
      ]
    }