CVE-2025-67724
Publication date 12 December 2025
Last updated 8 January 2026
Ubuntu priority
Description
Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, the supplied reason phrase is used unescaped in HTTP headers (where it could be used for header injection) or in HTML in the default error page (where it could be used for XSS) and can be exploited by passing untrusted or malicious data into the reason argument. Used by both RequestHandler.set_status and tornado.web.HTTPError, the argument is designed to allow applications to pass custom "reason" phrases (the "Not Found" in HTTP/1.1 404 Not Found) to the HTTP status line (mainly for non-standard status codes). This issue is fixed in version 6.5.3.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| python-tornado | 25.10 questing |
Fixed 6.4.2-3ubuntu0.2
|
| 24.04 LTS noble |
Fixed 6.4.0-1ubuntu0.4
|
|
| 22.04 LTS jammy |
Fixed 6.1.0-3ubuntu0.1~esm4
|
|
| 20.04 LTS focal |
Fixed 6.0.3+really5.1.1-3ubuntu0.1~esm3
|
|
| 18.04 LTS bionic | Ignored changes too intrusive | |
| 16.04 LTS xenial | Ignored changes too intrusive |
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu Pro 30-day free trialNotes
hlibk
For bionic and below, the changes are too intrusive and may introduce regressions, and therefore were marked as ignored.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
5.4 · Medium
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-7950-1
- Tornado vulnerabilities
- 8 January 2026