Inefficient Algorithmic Complexity Affecting tornado package, versions [,6.5.3)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PYTHON-TORNADO-14400977
- published12 Dec 2025
- disclosed12 Dec 2025
- creditFinder16
Introduced: 12 Dec 2025
NewCVE-2025-67725 (opens in a new tab)How to fix?
Upgrade tornado to version 6.5.3 or higher.
Overview
tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.
Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity in the HTTPHeaders.add method. An attacker can cause the server's event loop to become unresponsive for an extended period by sending a single maliciously crafted HTTP request with repeated header names, leading to excessive string concatenation and high CPU usage.
Note:
This is only exploitable if the max_header_size configuration has been increased from its default value.