Is CVE-2025-67725 actively exploited?

CVE-2025-67725 has no public evidence of in-the-wild exploitation as of 2025-12-22.

What is the CVSS score for CVE-2025-67725?

CVE-2025-67725 has a CVSS score of 7.5 (HIGH severity). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

How do I patch CVE-2025-67725?

Patch guidance is available from tornadoweb security advisories. CVEDatabase generates AI-assisted remediation guidance on demand for CVE-2025-67725.

Fix CVE-2025-67725 - HIGH tornadoweb tornado

Description

Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, a single maliciously crafted HTTP request can block the server's event loop for an extended period, caused by the HTTPHeaders.add method. The function accumulates values using string concatenation when the same header name is repeated, causing a Denial of Service (DoS). Due to Python string immutability, each concatenation copies the entire string, resulting in O(n²) time complexity. The severity can vary from high if max_header_size has been increased from its default, to low if it has its default value of 64KB. This issue is fixed in version 6.5.3.

CVSS Metrics

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector: network
Complexity: low
Privileges: none
User Action: none
Scope: unchanged
Confidentiality: none
Integrity: none
Availability: high
Weaknesses: CWE-400

Metadata

Primary Vendor: TORNADOWEB
Published: 12/12/2025
Last Modified: 12/22/2025
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

Affected Products

tornadoweb : tornado

Remediation Guidance

Executive Summary

Cite this page

CVE-2025-67725. CVEDatabase.com. Retrieved 1 May 2026. https://cvedatabase.com/cve/CVE-2025-67725

View on NIST NVD

CVE-2025-67725 vulnerability