CVE-2025-67726
中文标题:
(暂无数据)
英文标题:
Tornado is Vulnerable to Quadratic DoS via Crafted Multipart Parameters
漏洞描述
中文描述:
(暂无数据)
英文描述:
Tornado is a Python web framework and asynchronous networking library. Versions 6.5.2 and below use an inefficient algorithm when parsing parameters for HTTP header values, potentially causing a DoS. The _parseparam function in httputil.py is used to parse specific HTTP header values, such as those in multipart/form-data and repeatedly calls string.count() within a nested loop while processing quoted semicolons. If an attacker sends a request with a large number of maliciously crafted parameters in a Content-Disposition header, the server's CPU usage increases quadratically (O(n²)) during parsing. Due to Tornado's single event loop architecture, a single malicious request can cause the entire server to become unresponsive for an extended period. This issue is fixed in version 6.5.3.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| tornadoweb | tornado | < 6.5.3 | - | - |
cpe:2.3:a:tornadoweb:tornado:<_6.5.3:*:*:*:*:*:*:*
|
| tornadoweb | tornado | * | - | - |
cpe:2.3:a:tornadoweb:tornado:*:*:*:*:*:*:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
参考链接
cve.org
cve.org
cve.org
CVSS评分详情
3.1 (cna)
HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2025-67726 |
2025-12-19 03:24:11 | 2026-01-12 02:12:27 |
| NVD | nvd_CVE-2025-67726 |
2025-12-23 04:10:44 | 2026-01-12 02:28:08 |
版本与语言
安全公告
变更历史
查看详细变更
- affected_products_count: 1 -> 2
- data_sources: ['cve'] -> ['cve', 'nvd']