Critical DoS Vulnerabilities in Python-Tornado Affecting SUSE and Debian

Critical DoS Vulnerabilities in Python-Tornado Affecting SUSE and Debian

First seen 1 Apr 2026, 18:32 UTC Linuxsecurity 78% similarity 71.2

Article Content

Browse articles
ThreatCluster

Two significant vulnerabilities in the Python-Tornado framework have been disclosed, impacting SUSE 12 and Debian 11 systems. CVE-2025-67725 allows for Denial of Service (DoS) via maliciously crafted HTTP requests, while CVE-2026-31958 introduces risks from parsing large multipart bodies, potentially leading to DoS attacks. Both vulnerabilities have been assigned high CVSS scores, with CVE-2025-67725 rated at 8.7. Additionally, there are concerns regarding incomplete validation of cookie attributes, which could lead to further exploitation. Users are advised to apply the latest patches immediately to mitigate these risks. The vulnerabilities were published in December 2025 and March 2026, respectively. Both SUSE and Debian have released updates to address these issues. Failure to patch could leave systems vulnerable to exploitation.

Key Points: • CVE-2025-67725 and CVE-2026-31958 pose critical DoS risks to Python-Tornado users. • SUSE and Debian have issued patches to fix these vulnerabilities as of April 1, 2026. • Incomplete cookie attribute validation could lead to further security issues.

ThreatCluster AI

Timeline

2025-12-12
CVE-2025-67725 and CVE-2025-67724 published
2026-03-11
CVE-2026-31958 published
2026-04-01
SUSE and Debian release patches for vulnerabilities

Community

Browse all →