Bug 2421733 (CVE-2025-67726) - CVE-2025-67726 tornado: Tornado Quadratic DoS via Crafted Multipart Parameters
Summary: CVE-2025-67726 tornado: Tornado Quadratic DoS via Crafted Multipart Parameters
Keywords:
Status: NEW
Alias: CVE-2025-67726
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2421930 2421932 2421935 2421936
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-12-12 10:19 UTC by OSIDB Bzimport
Modified: 2026-01-21 15:53 UTC (History)
11 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2026:0930 0 None None None 2026-01-21 15:53:35 UTC

Description OSIDB Bzimport 2025-12-12 10:19:25 UTC 
Tornado is a Python web framework and asynchronous networking library. Versions 6.5.2 and below use an inefficient algorithm when parsing parameters for HTTP header values, potentially causing a DoS. The _parseparam function in httputil.py is used to parse specific HTTP header values, such as those in multipart/form-data and repeatedly calls string.count() within a nested loop while processing quoted semicolons. If an attacker sends a request with a large number of maliciously crafted parameters in a Content-Disposition header, the server's CPU usage increases quadratically (O(nĀ²)) during parsing. Due to Tornado's single event loop architecture, a single malicious request can cause the entire server to become unresponsive for an extended period. This issue is fixed in version 6.5.3.
Comment 2 errata-xmlrpc 2026-01-21 15:53:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:0930 https://access.redhat.com/errata/RHSA-2026:0930
Note You need to log in before you can comment on or make changes to this bug.