{"id":"CVE-2025-67726","summary":"Tornado is Vulnerable to Quadratic DoS via Crafted Multipart Parameters","details":"Tornado is a Python web framework and asynchronous networking library. Versions 6.5.2 and below use an inefficient algorithm when parsing parameters for HTTP header values, potentially causing a DoS. The _parseparam function in httputil.py is used to parse specific HTTP header values, such as those in multipart/form-data and repeatedly calls string.count() within a nested loop while processing quoted semicolons. If an attacker sends a request with a large number of maliciously crafted parameters in a Content-Disposition header, the server's CPU usage increases quadratically (O(n²)) during parsing. Due to Tornado's single event loop architecture, a single malicious request can cause the entire server to become unresponsive for an extended period. This issue is fixed in version 6.5.3.","aliases":["GHSA-jhmp-mqwm-3gq8"],"modified":"2026-04-09T04:07:12.495480Z","published":"2025-12-12T06:13:51.336Z","related":["ALSA-2026:0930","SUSE-SU-2026:0010-1","SUSE-SU-2026:0222-1","SUSE-SU-2026:0623-1","SUSE-SU-2026:0625-1","SUSE-SU-2026:0626-1","SUSE-SU-2026:0627-1","SUSE-SU-2026:0629-1","SUSE-SU-2026:0631-1","SUSE-SU-2026:1012-1","SUSE-SU-2026:1014-1","SUSE-SU-2026:1026-1","SUSE-SU-2026:1027-1","SUSE-SU-2026:1028-1","SUSE-SU-2026:1029-1","SUSE-SU-2026:1030-1","SUSE-SU-2026:1140-1","SUSE-SU-2026:1141-1","SUSE-SU-2026:1142-1","SUSE-SU-2026:1146-1","SUSE-SU-2026:1148-1","SUSE-SU-2026:1149-1","SUSE-SU-2026:20007-1","SUSE-SU-2026:20028-1","SUSE-SU-2026:20043-1","SUSE-SU-2026:20071-1","SUSE-SU-2026:20820-1","SUSE-SU-2026:20825-1","openSUSE-SU-2025:15838-1","openSUSE-SU-2026:10110-1","openSUSE-SU-2026:20015-1","openSUSE-SU-2026:20412-1"],"database_specific":{"cwe_ids":["CWE-400","CWE-834"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/67xxx/CVE-2025-67726.json","cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/tornadoweb/tornado/releases/tag/v6.5.3"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/67xxx/CVE-2025-67726.json"},{"type":"ADVISORY","url":"https://github.com/tornadoweb/tornado/security/advisories/GHSA-jhmp-mqwm-3gq8"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-67726"},{"type":"FIX","url":"https://github.com/tornadoweb/tornado/commit/771472cfdaeebc0d89a9cc46e249f8891a6b29cd"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/tornadoweb/tornado","events":[{"introduced":"0"},{"fixed":"38014ddb51520ff7762c1d55535925dba2cdbe31"}]}],"versions":["v1.0.0","v1.1.0","v1.2.0","v2.0.0","v2.1.0","v2.1.1","v2.2.0","v2.3.0","v3.0.0","v3.0.1","v3.1.0","v3.2.0","v3.2.0b1","v3.2.0b2","v4.0.0","v4.0.0b1","v4.0.0b2","v4.0.0b3","v4.1.0","v4.1.0b1","v4.1.0b2","v4.2.0","v4.2.0b1","v4.3.0","v4.3.0b1","v4.3.0b2","v4.4.0","v4.4.0b1","v4.4.1","v4.5.0","v4.5.1","v5.0.0","v5.1.0","v6.0.0","v6.0.0b1","v6.1.0","v6.1.0b1","v6.1.0b2","v6.2.0","v6.2.0b1","v6.2.0b2","v6.3.0","v6.3.0b1","v6.3.1","v6.4.0","v6.4.0b1","v6.4.1","v6.5.0","v6.5.0b1","v6.5.1","v6.5.2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-67726.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}