CVE-2025-67725 Overview
A Denial of Service (DoS) vulnerability has been identified in Tornado, a popular Python web framework and asynchronous networking library. The vulnerability exists in versions 6.5.2 and below, where a single maliciously crafted HTTP request can block the server's event loop for an extended period. This is caused by an algorithmic complexity issue in the HTTPHeaders.add method, which accumulates header values using string concatenation when the same header name is repeated.
Critical Impact
A single malicious HTTP request can block Tornado's event loop, causing complete service unavailability for all connected clients. The severity varies based on the max_header_size configuration—higher limits dramatically increase the attack impact.
Affected Products
- Tornadoweb Tornado versions 6.5.2 and below
Discovery Timeline
- 2025-12-12 - CVE-2025-67725 published to NVD
- 2025-12-22 - Last updated in NVD database
Technical Details for CVE-2025-67725
Vulnerability Analysis
This vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption), manifesting as an algorithmic complexity attack against Tornado's HTTP header parsing mechanism. The core issue resides in the HTTPHeaders.add method, which handles incoming HTTP headers.
When processing HTTP requests, the method accumulates values for repeated header names using string concatenation. Due to Python's string immutability, each concatenation operation creates a new string object and copies the entire existing string content. This results in O(n²) time complexity, where n represents the total size of concatenated header values.
An attacker can exploit this by sending a single HTTP request with numerous repetitions of the same header name. Each subsequent header value triggers a full string copy operation, causing exponential processing time increases. The impact severity correlates directly with the server's max_header_size configuration—servers with the default 64KB limit experience lower impact, while servers with increased limits face significantly greater risk.
Root Cause
The root cause is the use of inefficient string concatenation for accumulating HTTP header values in the HTTPHeaders.add method. Python strings are immutable, meaning each concatenation creates a new string object and copies all existing data. When an attacker sends many headers with the same name, the repeated concatenations cause quadratic time complexity, blocking the asynchronous event loop and preventing the server from handling any other requests.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker sends a specially crafted HTTP request containing numerous repetitions of the same header name with values designed to maximize the concatenation overhead. The Tornado server processes this request synchronously within its event loop, and the O(n²) string operations block the entire loop, denying service to all legitimate clients.
The vulnerability can be exploited by crafting an HTTP request with repeated headers. For example, sending thousands of instances of the same header name with varying values causes the HTTPHeaders.add method to perform increasingly expensive string concatenation operations. See the GitHub Security Advisory GHSA-c98p-7wgm-6p64 for detailed technical information on the exploitation mechanism.
Detection Methods for CVE-2025-67725
Indicators of Compromise
- HTTP requests with an abnormally high number of repeated headers (e.g., hundreds or thousands of instances of the same header name)
- Sudden increases in Tornado server response latency or complete unresponsiveness
- Event loop blocking patterns detected in application performance monitoring
- Unusual CPU consumption during HTTP request processing phases
Detection Strategies
- Implement network-level monitoring for HTTP requests with excessive header repetition
- Deploy web application firewalls (WAF) with rules to detect and block requests containing abnormal header patterns
- Monitor Tornado application logs for signs of event loop delays or request processing timeouts
- Use application performance monitoring (APM) tools to track request processing times and identify anomalies
Monitoring Recommendations
- Set up alerts for Tornado server response time degradation exceeding baseline thresholds
- Monitor network traffic for requests approaching or exceeding the configured max_header_size limit
- Implement real-time logging of HTTP header counts per request to identify potential attack patterns
- Track CPU utilization on servers running Tornado applications for sudden spikes during request processing
How to Mitigate CVE-2025-67725
Immediate Actions Required
- Upgrade Tornado to version 6.5.3 or later immediately
- Review and reduce max_header_size configuration to the default 64KB if it has been increased
- Deploy rate limiting at the network edge to mitigate active exploitation attempts
- Monitor affected servers for signs of DoS attacks until patches are applied
Patch Information
The vulnerability is fixed in Tornado version 6.5.3. The patch addresses the algorithmic complexity issue in the HTTPHeaders.add method by replacing inefficient string concatenation with a more efficient approach. The fix is available in GitHub Release v6.5.3, and the specific commit can be reviewed at GitHub Commit 771472cf.
Workarounds
- Reduce the max_header_size configuration to the default value of 64KB to limit attack severity
- Deploy a reverse proxy or load balancer in front of Tornado that can limit the number of headers per request
- Implement request filtering at the edge to drop requests with excessive header repetition
- Consider temporarily increasing server resources or deploying additional instances to absorb attack impact until patching is complete
# Upgrade Tornado to the patched version
pip install --upgrade tornado>=6.5.3
# Verify the installed version
pip show tornado | grep Version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
