Bug 2421722 (CVE-2025-67725)

Summary: CVE-2025-67725 tornado: Tornado Quadratic DoS via Repeated Header Coalescing
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bbrownin, caswilli, eglynn, jjoyce, jkoehler, jschluet, kaycoth, lhh, lphiri, mburns, mgarciac
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A denial of service flaw has been discovered in the Tornado networking library. In Tornado, a single maliciously crafted HTTP request can block the server's event loop for an extended period, caused by the HTTPHeaders.add method. The function accumulates values using string concatenation when the same header name is repeated, causing a Denial of Service (DoS). Due to Python string immutability, each concatenation copies the entire string, resulting in O(n²) time complexity.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2421931, 2421929, 2421933, 2421934    
Bug Blocks:    

Description OSIDB Bzimport 2025-12-12 10:19:03 UTC 
Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, a single maliciously crafted HTTP request can block the server's event loop for an extended period, caused by the HTTPHeaders.add method. The function accumulates values using string concatenation when the same header name is repeated, causing a Denial of Service (DoS).  Due to Python string immutability, each concatenation copies the entire string, resulting in O(n²) time complexity. The severity can vary from high if max_header_size has been increased from its default, to low if it has its default value of 64KB. This issue is fixed in version 6.5.3.
Comment 2 errata-xmlrpc 2026-01-21 15:53:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:0930 https://access.redhat.com/errata/RHSA-2026:0930
Comment 4 errata-xmlrpc 2026-02-10 17:52:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2026:2462 https://access.redhat.com/errata/RHSA-2026:2462
Comment 5 errata-xmlrpc 2026-02-10 18:23:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2026:2465 https://access.redhat.com/errata/RHSA-2026:2465
Comment 6 errata-xmlrpc 2026-02-10 19:14:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2026:2469 https://access.redhat.com/errata/RHSA-2026:2469
Comment 7 errata-xmlrpc 2026-02-10 20:13:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:2484 https://access.redhat.com/errata/RHSA-2026:2484