| Package | python-tornado |
|---|---|
| Version | 5.1.1-4+deb10u3 (buster) |
| Related CVEs | CVE-2025-67724 CVE-2025-67725 CVE-2025-67726 |
Multiple vulnerabilities were discovered in python-tornado, a scalable, non-blocking Python web framework and asynchronous networking library.
CVE-2025-67724
Custom reason phrases can cause multiple vulnerabilities (like XSS,
header injection, ...) due to being used unescaped in HTTP headers.
CVE-2025-67725
A single maliciously crafted HTTP request can cause a possible DoS
due to quadratic performance of repeated header lines.
CVE-2025-67726
An inefficient algorithm when parsing parameters for HTTP header
values can potentially cause a DoS.
For Debian 10 buster, these problems have been fixed in version 5.1.1-4+deb10u3.
We recommend that you upgrade your python-tornado packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.