| Package | python-tornado |
|---|---|
| Version | 4.4.3-1+deb9u2 (stretch) |
| Related CVEs | CVE-2025-47287 CVE-2025-67724 CVE-2025-67725 CVE-2025-67726 |
Multiple vulnerabilities were discovered in python-tornado, a scalable, non-blocking Python web framework and asynchronous networking library.
CVE-2025-47287
When Tornado's 'multipart/form-data' parser encounters certain errors,
it logs a warning but continues trying to parse the remainder of the
data. This allows remote attackers to generate an extremely high volume
of logs, constituting a DoS attack. This DoS is compounded by the fact
that the logging subsystem is synchronous.
CVE-2025-67724
Custom reason phrases can cause multiple vulnerabilities (like XSS,
header injection, ...) due to being used unescaped in HTTP headers.
CVE-2025-67725
A single maliciously crafted HTTP request can cause a possible DoS
due to quadratic performance of repeated header lines.
CVE-2025-67726
An inefficient algorithm when parsing parameters for HTTP header
values can potentially cause a DoS.
For Debian 9 stretch, these problems have been fixed in version 4.4.3-1+deb9u2.
We recommend that you upgrade your python-tornado packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.