USN-7950-1

Details

It was discovered that Tornado incorrectly handled special characters in HTTP headers. An attacker could possibly use this issue to execute a cross- site scripting (XSS) attack. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, Ubuntu 25.04, and Ubuntu 25.10. (CVE-2025-67724)

It was discovered that Tornado incorrectly handled repeated HTTP headers. An attacker could possibly use this issue to cause Tornado to use excessive resources, causing a denial of service. (CVE-2025-67725)

It was discovered that Tornado incorrectly handled parsing of certain HTTP header values. An attacker could possibly use this issue to cause Tornado to use excessive resources, causing a denial of service. (CVE-2025-67726)

Affected Packages

Ubuntu:24.04:LTSpython-tornado

Fixed in:

6.4.0-1ubuntu0.4

Ubuntu:25.04python-tornado

Fixed in:

6.4.2-1ubuntu0.25.04.3

Ubuntu:25.10python-tornado

Fixed in:

6.4.2-3ubuntu0.2

Ubuntu:Pro:16.04:LTSpython-tornado

Fixed in:

4.2.1-1ubuntu3.1+esm2

Ubuntu:Pro:18.04:LTSpython-tornado

Fixed in:

4.5.3-1ubuntu0.2+esm2

Ubuntu:Pro:20.04:LTSpython-tornado

Fixed in:

6.0.3+really5.1.1-3ubuntu0.1~esm3

Ubuntu:Pro:22.04:LTSpython-tornado

Fixed in:

6.1.0-3ubuntu0.1~esm4

References

REPORThttps://ubuntu.com/security/CVE-2025-67724 REPORThttps://ubuntu.com/security/CVE-2025-67725 REPORThttps://ubuntu.com/security/CVE-2025-67726 ADVISORYhttps://ubuntu.com/security/notices/USN-7950-1

USN-7950-1

Details

Affected Packages

References

Upstream

Ecosystems

Timeline