Vulnerability-Lookup

RHSA-2026:2462

Vulnerability from csaf_redhat - Published: 2026-02-10 17:54 - Updated: 2026-02-11 08:06

Summary

Red Hat Security Advisory: pcs security update

Notes

Topic

An update for pcs is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support and Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details

The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. Security Fix(es): * tornado: Tornado Quadratic DoS via Repeated Header Coalescing (CVE-2025-67725) * tornado: Tornado Quadratic DoS via Crafted Multipart Parameters (CVE-2025-67726) * lodash: prototype pollution in _.unset and _.omit functions (CVE-2025-13465) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for pcs is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support and Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities.\n\nSecurity Fix(es):\n\n* tornado: Tornado Quadratic DoS via Repeated Header Coalescing (CVE-2025-67725)\n\n* tornado: Tornado Quadratic DoS via Crafted Multipart Parameters (CVE-2025-67726)\n\n* lodash: prototype pollution in _.unset and _.omit functions (CVE-2025-13465)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:2462",
        "url": "https://access.redhat.com/errata/RHSA-2026:2462"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "2421722",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2421722"
      },
      {
        "category": "external",
        "summary": "2421733",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2421733"
      },
      {
        "category": "external",
        "summary": "2431740",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431740"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_2462.json"
      }
    ],
    "title": "Red Hat Security Advisory: pcs security update",
    "tracking": {
      "current_release_date": "2026-02-11T08:06:16+00:00",
      "generator": {
        "date": "2026-02-11T08:06:16+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.7.1"
        }
      },
      "id": "RHSA-2026:2462",
      "initial_release_date": "2026-02-10T17:54:59+00:00",
      "revision_history": [
        {
          "date": "2026-02-10T17:54:59+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-02-10T17:54:59+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-02-11T08:06:16+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux High Availability AUS (v.8.4)",
                "product": {
                  "name": "Red Hat Enterprise Linux High Availability AUS (v.8.4)",
                  "product_id": "HighAvailability-8.4.0.Z.AUS",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:rhel_aus:8.4::highavailability"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux HighAvailability EUS EXTENSION (v.8.4)",
                "product": {
                  "name": "Red Hat Enterprise Linux HighAvailability EUS EXTENSION (v.8.4)",
                  "product_id": "HighAvailability-8.4.0.Z.EUS.EXTENSION",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:rhel_eus_long_life:8.4::highavailability"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Enterprise Linux"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "pcs-0:0.10.8-1.el8_4.10.src",
                "product": {
                  "name": "pcs-0:0.10.8-1.el8_4.10.src",
                  "product_id": "pcs-0:0.10.8-1.el8_4.10.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/pcs@0.10.8-1.el8_4.10?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "pcs-0:0.10.8-1.el8_4.10.x86_64",
                "product": {
                  "name": "pcs-0:0.10.8-1.el8_4.10.x86_64",
                  "product_id": "pcs-0:0.10.8-1.el8_4.10.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/pcs@0.10.8-1.el8_4.10?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "pcs-snmp-0:0.10.8-1.el8_4.10.x86_64",
                "product": {
                  "name": "pcs-snmp-0:0.10.8-1.el8_4.10.x86_64",
                  "product_id": "pcs-snmp-0:0.10.8-1.el8_4.10.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/pcs-snmp@0.10.8-1.el8_4.10?arch=x86_64"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "pcs-0:0.10.8-1.el8_4.10.src as a component of Red Hat Enterprise Linux High Availability AUS (v.8.4)",
          "product_id": "HighAvailability-8.4.0.Z.AUS:pcs-0:0.10.8-1.el8_4.10.src"
        },
        "product_reference": "pcs-0:0.10.8-1.el8_4.10.src",
        "relates_to_product_reference": "HighAvailability-8.4.0.Z.AUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "pcs-0:0.10.8-1.el8_4.10.x86_64 as a component of Red Hat Enterprise Linux High Availability AUS (v.8.4)",
          "product_id": "HighAvailability-8.4.0.Z.AUS:pcs-0:0.10.8-1.el8_4.10.x86_64"
        },
        "product_reference": "pcs-0:0.10.8-1.el8_4.10.x86_64",
        "relates_to_product_reference": "HighAvailability-8.4.0.Z.AUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "pcs-snmp-0:0.10.8-1.el8_4.10.x86_64 as a component of Red Hat Enterprise Linux High Availability AUS (v.8.4)",
          "product_id": "HighAvailability-8.4.0.Z.AUS:pcs-snmp-0:0.10.8-1.el8_4.10.x86_64"
        },
        "product_reference": "pcs-snmp-0:0.10.8-1.el8_4.10.x86_64",
        "relates_to_product_reference": "HighAvailability-8.4.0.Z.AUS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "pcs-0:0.10.8-1.el8_4.10.src as a component of Red Hat Enterprise Linux HighAvailability EUS EXTENSION (v.8.4)",
          "product_id": "HighAvailability-8.4.0.Z.EUS.EXTENSION:pcs-0:0.10.8-1.el8_4.10.src"
        },
        "product_reference": "pcs-0:0.10.8-1.el8_4.10.src",
        "relates_to_product_reference": "HighAvailability-8.4.0.Z.EUS.EXTENSION"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "pcs-0:0.10.8-1.el8_4.10.x86_64 as a component of Red Hat Enterprise Linux HighAvailability EUS EXTENSION (v.8.4)",
          "product_id": "HighAvailability-8.4.0.Z.EUS.EXTENSION:pcs-0:0.10.8-1.el8_4.10.x86_64"
        },
        "product_reference": "pcs-0:0.10.8-1.el8_4.10.x86_64",
        "relates_to_product_reference": "HighAvailability-8.4.0.Z.EUS.EXTENSION"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "pcs-snmp-0:0.10.8-1.el8_4.10.x86_64 as a component of Red Hat Enterprise Linux HighAvailability EUS EXTENSION (v.8.4)",
          "product_id": "HighAvailability-8.4.0.Z.EUS.EXTENSION:pcs-snmp-0:0.10.8-1.el8_4.10.x86_64"
        },
        "product_reference": "pcs-snmp-0:0.10.8-1.el8_4.10.x86_64",
        "relates_to_product_reference": "HighAvailability-8.4.0.Z.EUS.EXTENSION"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-13465",
      "cwe": {
        "id": "CWE-1321",
        "name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
      },
      "discovery_date": "2026-01-21T20:01:28.774829+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2431740"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Lodash. A prototype pollution vulnerability in the _.unset and _.omit functions allows an attacker able to control property paths to delete methods from global prototypes. By removing essential functionalities, this can result in a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "lodash: prototype pollution in _.unset and _.omit functions",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue is only exploitable by applications using the _.unset and _.omit functions on an object and allowing user input to determine the path of the property to be removed. This issue only allows the deletion of properties but does not allow overwriting their behavior, limiting the impact to a denial of service. Due to this reason, this vulnerability has been rated with an important severity.\n\nIn Grafana, JavaScript code runs only in the browser, while the server side is all Golang. Therefore, the worst-case scenario is a loss of functionality in the client application inside the browser. To reflect this, the CVSS availability metric and the severity of the Grafana and the Grafana-PCP component have been updated to low and moderate, respectively.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "HighAvailability-8.4.0.Z.AUS:pcs-0:0.10.8-1.el8_4.10.src",
          "HighAvailability-8.4.0.Z.AUS:pcs-0:0.10.8-1.el8_4.10.x86_64",
          "HighAvailability-8.4.0.Z.AUS:pcs-snmp-0:0.10.8-1.el8_4.10.x86_64",
          "HighAvailability-8.4.0.Z.EUS.EXTENSION:pcs-0:0.10.8-1.el8_4.10.src",
          "HighAvailability-8.4.0.Z.EUS.EXTENSION:pcs-0:0.10.8-1.el8_4.10.x86_64",
          "HighAvailability-8.4.0.Z.EUS.EXTENSION:pcs-snmp-0:0.10.8-1.el8_4.10.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-13465"
        },
        {
          "category": "external",
          "summary": "RHBZ#2431740",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431740"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-13465",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-13465"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-13465",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13465"
        },
        {
          "category": "external",
          "summary": "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg",
          "url": "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg"
        }
      ],
      "release_date": "2026-01-21T19:05:28.846000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-02-10T17:54:59+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "HighAvailability-8.4.0.Z.AUS:pcs-0:0.10.8-1.el8_4.10.src",
            "HighAvailability-8.4.0.Z.AUS:pcs-0:0.10.8-1.el8_4.10.x86_64",
            "HighAvailability-8.4.0.Z.AUS:pcs-snmp-0:0.10.8-1.el8_4.10.x86_64",
            "HighAvailability-8.4.0.Z.EUS.EXTENSION:pcs-0:0.10.8-1.el8_4.10.src",
            "HighAvailability-8.4.0.Z.EUS.EXTENSION:pcs-0:0.10.8-1.el8_4.10.x86_64",
            "HighAvailability-8.4.0.Z.EUS.EXTENSION:pcs-snmp-0:0.10.8-1.el8_4.10.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:2462"
        },
        {
          "category": "workaround",
          "details": "To mitigate this issue, implement strict input validation before passing any property paths to the _.unset and _.omit functions to block attempts to access the prototype chain. Ensure that strings like __proto__, constructor and prototype are blocked, for example.",
          "product_ids": [
            "HighAvailability-8.4.0.Z.AUS:pcs-0:0.10.8-1.el8_4.10.src",
            "HighAvailability-8.4.0.Z.AUS:pcs-0:0.10.8-1.el8_4.10.x86_64",
            "HighAvailability-8.4.0.Z.AUS:pcs-snmp-0:0.10.8-1.el8_4.10.x86_64",
            "HighAvailability-8.4.0.Z.EUS.EXTENSION:pcs-0:0.10.8-1.el8_4.10.src",
            "HighAvailability-8.4.0.Z.EUS.EXTENSION:pcs-0:0.10.8-1.el8_4.10.x86_64",
            "HighAvailability-8.4.0.Z.EUS.EXTENSION:pcs-snmp-0:0.10.8-1.el8_4.10.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
            "version": "3.1"
          },
          "products": [
            "HighAvailability-8.4.0.Z.AUS:pcs-0:0.10.8-1.el8_4.10.src",
            "HighAvailability-8.4.0.Z.AUS:pcs-0:0.10.8-1.el8_4.10.x86_64",
            "HighAvailability-8.4.0.Z.AUS:pcs-snmp-0:0.10.8-1.el8_4.10.x86_64",
            "HighAvailability-8.4.0.Z.EUS.EXTENSION:pcs-0:0.10.8-1.el8_4.10.src",
            "HighAvailability-8.4.0.Z.EUS.EXTENSION:pcs-0:0.10.8-1.el8_4.10.x86_64",
            "HighAvailability-8.4.0.Z.EUS.EXTENSION:pcs-snmp-0:0.10.8-1.el8_4.10.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "lodash: prototype pollution in _.unset and _.omit functions"
    },
    {
      "cve": "CVE-2025-67725",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2025-12-12T09:44:25.333328+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2421722"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, a single maliciously crafted HTTP request can block the server\u0027s event loop for an extended period, caused by the HTTPHeaders.add method. The function accumulates values using string concatenation when the same header name is repeated, causing a Denial of Service (DoS).  Due to Python string immutability, each concatenation copies the entire string, resulting in O(n\u00b2) time complexity. The severity can vary from high if max_header_size has been increased from its default, to low if it has its default value of 64KB. This issue is fixed in version 6.5.3.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "tornado: Tornado Quadratic DoS via Repeated Header Coalescing",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "The availability impact of this flaw is partially mitigated on Red Hat products as the host systems are not at risk.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "HighAvailability-8.4.0.Z.AUS:pcs-0:0.10.8-1.el8_4.10.src",
          "HighAvailability-8.4.0.Z.AUS:pcs-0:0.10.8-1.el8_4.10.x86_64",
          "HighAvailability-8.4.0.Z.AUS:pcs-snmp-0:0.10.8-1.el8_4.10.x86_64",
          "HighAvailability-8.4.0.Z.EUS.EXTENSION:pcs-0:0.10.8-1.el8_4.10.src",
          "HighAvailability-8.4.0.Z.EUS.EXTENSION:pcs-0:0.10.8-1.el8_4.10.x86_64",
          "HighAvailability-8.4.0.Z.EUS.EXTENSION:pcs-snmp-0:0.10.8-1.el8_4.10.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-67725"
        },
        {
          "category": "external",
          "summary": "RHBZ#2421722",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2421722"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-67725",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-67725"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-67725",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67725"
        },
        {
          "category": "external",
          "summary": "https://github.com/tornadoweb/tornado/commit/771472cfdaeebc0d89a9cc46e249f8891a6b29cd",
          "url": "https://github.com/tornadoweb/tornado/commit/771472cfdaeebc0d89a9cc46e249f8891a6b29cd"
        },
        {
          "category": "external",
          "summary": "https://github.com/tornadoweb/tornado/releases/tag/v6.5.3",
          "url": "https://github.com/tornadoweb/tornado/releases/tag/v6.5.3"
        },
        {
          "category": "external",
          "summary": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-c98p-7wgm-6p64",
          "url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-c98p-7wgm-6p64"
        }
      ],
      "release_date": "2025-12-12T05:49:41.523000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-02-10T17:54:59+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "HighAvailability-8.4.0.Z.AUS:pcs-0:0.10.8-1.el8_4.10.src",
            "HighAvailability-8.4.0.Z.AUS:pcs-0:0.10.8-1.el8_4.10.x86_64",
            "HighAvailability-8.4.0.Z.AUS:pcs-snmp-0:0.10.8-1.el8_4.10.x86_64",
            "HighAvailability-8.4.0.Z.EUS.EXTENSION:pcs-0:0.10.8-1.el8_4.10.src",
            "HighAvailability-8.4.0.Z.EUS.EXTENSION:pcs-0:0.10.8-1.el8_4.10.x86_64",
            "HighAvailability-8.4.0.Z.EUS.EXTENSION:pcs-snmp-0:0.10.8-1.el8_4.10.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:2462"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "HighAvailability-8.4.0.Z.AUS:pcs-0:0.10.8-1.el8_4.10.src",
            "HighAvailability-8.4.0.Z.AUS:pcs-0:0.10.8-1.el8_4.10.x86_64",
            "HighAvailability-8.4.0.Z.AUS:pcs-snmp-0:0.10.8-1.el8_4.10.x86_64",
            "HighAvailability-8.4.0.Z.EUS.EXTENSION:pcs-0:0.10.8-1.el8_4.10.src",
            "HighAvailability-8.4.0.Z.EUS.EXTENSION:pcs-0:0.10.8-1.el8_4.10.x86_64",
            "HighAvailability-8.4.0.Z.EUS.EXTENSION:pcs-snmp-0:0.10.8-1.el8_4.10.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "HighAvailability-8.4.0.Z.AUS:pcs-0:0.10.8-1.el8_4.10.src",
            "HighAvailability-8.4.0.Z.AUS:pcs-0:0.10.8-1.el8_4.10.x86_64",
            "HighAvailability-8.4.0.Z.AUS:pcs-snmp-0:0.10.8-1.el8_4.10.x86_64",
            "HighAvailability-8.4.0.Z.EUS.EXTENSION:pcs-0:0.10.8-1.el8_4.10.src",
            "HighAvailability-8.4.0.Z.EUS.EXTENSION:pcs-0:0.10.8-1.el8_4.10.x86_64",
            "HighAvailability-8.4.0.Z.EUS.EXTENSION:pcs-snmp-0:0.10.8-1.el8_4.10.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "tornado: Tornado Quadratic DoS via Repeated Header Coalescing"
    },
    {
      "cve": "CVE-2025-67726",
      "cwe": {
        "id": "CWE-1333",
        "name": "Inefficient Regular Expression Complexity"
      },
      "discovery_date": "2025-12-12T09:45:15.366983+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2421733"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Tornado is a Python web framework and asynchronous networking library. Versions 6.5.2 and below use an inefficient algorithm when parsing parameters for HTTP header values, potentially causing a DoS. The _parseparam function in httputil.py is used to parse specific HTTP header values, such as those in multipart/form-data and repeatedly calls string.count() within a nested loop while processing quoted semicolons. If an attacker sends a request with a large number of maliciously crafted parameters in a Content-Disposition header, the server\u0027s CPU usage increases quadratically (O(n\u00b2)) during parsing. Due to Tornado\u0027s single event loop architecture, a single malicious request can cause the entire server to become unresponsive for an extended period. This issue is fixed in version 6.5.3.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "tornado: Tornado Quadratic DoS via Crafted Multipart Parameters",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "The availability impact of this flaw is partially mitigated on Red Hat products as the host systems are not at risk.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "HighAvailability-8.4.0.Z.AUS:pcs-0:0.10.8-1.el8_4.10.src",
          "HighAvailability-8.4.0.Z.AUS:pcs-0:0.10.8-1.el8_4.10.x86_64",
          "HighAvailability-8.4.0.Z.AUS:pcs-snmp-0:0.10.8-1.el8_4.10.x86_64",
          "HighAvailability-8.4.0.Z.EUS.EXTENSION:pcs-0:0.10.8-1.el8_4.10.src",
          "HighAvailability-8.4.0.Z.EUS.EXTENSION:pcs-0:0.10.8-1.el8_4.10.x86_64",
          "HighAvailability-8.4.0.Z.EUS.EXTENSION:pcs-snmp-0:0.10.8-1.el8_4.10.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-67726"
        },
        {
          "category": "external",
          "summary": "RHBZ#2421733",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2421733"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-67726",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-67726"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-67726",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67726"
        },
        {
          "category": "external",
          "summary": "https://github.com/tornadoweb/tornado/commit/771472cfdaeebc0d89a9cc46e249f8891a6b29cd",
          "url": "https://github.com/tornadoweb/tornado/commit/771472cfdaeebc0d89a9cc46e249f8891a6b29cd"
        },
        {
          "category": "external",
          "summary": "https://github.com/tornadoweb/tornado/releases/tag/v6.5.3",
          "url": "https://github.com/tornadoweb/tornado/releases/tag/v6.5.3"
        },
        {
          "category": "external",
          "summary": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-jhmp-mqwm-3gq8",
          "url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-jhmp-mqwm-3gq8"
        }
      ],
      "release_date": "2025-12-12T06:13:51.336000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-02-10T17:54:59+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "HighAvailability-8.4.0.Z.AUS:pcs-0:0.10.8-1.el8_4.10.src",
            "HighAvailability-8.4.0.Z.AUS:pcs-0:0.10.8-1.el8_4.10.x86_64",
            "HighAvailability-8.4.0.Z.AUS:pcs-snmp-0:0.10.8-1.el8_4.10.x86_64",
            "HighAvailability-8.4.0.Z.EUS.EXTENSION:pcs-0:0.10.8-1.el8_4.10.src",
            "HighAvailability-8.4.0.Z.EUS.EXTENSION:pcs-0:0.10.8-1.el8_4.10.x86_64",
            "HighAvailability-8.4.0.Z.EUS.EXTENSION:pcs-snmp-0:0.10.8-1.el8_4.10.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:2462"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "HighAvailability-8.4.0.Z.AUS:pcs-0:0.10.8-1.el8_4.10.src",
            "HighAvailability-8.4.0.Z.AUS:pcs-0:0.10.8-1.el8_4.10.x86_64",
            "HighAvailability-8.4.0.Z.AUS:pcs-snmp-0:0.10.8-1.el8_4.10.x86_64",
            "HighAvailability-8.4.0.Z.EUS.EXTENSION:pcs-0:0.10.8-1.el8_4.10.src",
            "HighAvailability-8.4.0.Z.EUS.EXTENSION:pcs-0:0.10.8-1.el8_4.10.x86_64",
            "HighAvailability-8.4.0.Z.EUS.EXTENSION:pcs-snmp-0:0.10.8-1.el8_4.10.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "HighAvailability-8.4.0.Z.AUS:pcs-0:0.10.8-1.el8_4.10.src",
            "HighAvailability-8.4.0.Z.AUS:pcs-0:0.10.8-1.el8_4.10.x86_64",
            "HighAvailability-8.4.0.Z.AUS:pcs-snmp-0:0.10.8-1.el8_4.10.x86_64",
            "HighAvailability-8.4.0.Z.EUS.EXTENSION:pcs-0:0.10.8-1.el8_4.10.src",
            "HighAvailability-8.4.0.Z.EUS.EXTENSION:pcs-0:0.10.8-1.el8_4.10.x86_64",
            "HighAvailability-8.4.0.Z.EUS.EXTENSION:pcs-snmp-0:0.10.8-1.el8_4.10.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "tornado: Tornado Quadratic DoS via Crafted Multipart Parameters"
    }
  ]
}

CVE-2025-13465 (GCVE-0-2025-13465)

Vulnerability from cvelistv5 – Published: 2026-01-21 19:05 – Updated: 2026-01-21 19:43

Title

Prototype Pollution Vulnerability in Lodash _.unset and _.omit functions

Summary

Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. This issue is patched on 4.17.23

Severity ?

6.9 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P

CWE

CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Assigner

openjs

References

URL

Tags

https://github.com/lodash/lodash/security/advisor…

Impacted products

Vendor

Product

Version

Lodash

Affected: 4.0.0 , ≤ 4.17.22 (semver)

Lodash-amd	Lodash-amd	Affected: 4.0.0 , ≤ 4.17.22 (semver)
lodash-es	lodash-es	Affected: 4.0.0 , ≤ 4.17.22 (semver)
lodash.unset	lodash.unset	Affected: 4.0.0

Credits

Lukas Euler Jordan Harband Michał Lipiński Ulises Gascón

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-13465",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-21T19:43:10.513400Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-21T19:43:38.268Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "modules": [
            "https://github.com/lodash/lodash"
          ],
          "packageName": "lodash",
          "product": "Lodash",
          "repo": "https://github.com/lodash/lodash",
          "vendor": "Lodash",
          "versions": [
            {
              "lessThanOrEqual": "4.17.22",
              "status": "affected",
              "version": "4.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "modules": [
            "https://github.com/lodash/lodash"
          ],
          "product": "Lodash-amd",
          "repo": "https://github.com/lodash/lodash",
          "vendor": "Lodash-amd",
          "versions": [
            {
              "lessThanOrEqual": "4.17.22",
              "status": "affected",
              "version": "4.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "modules": [
            "https://github.com/lodash/lodash"
          ],
          "product": "lodash-es",
          "repo": "https://github.com/lodash/lodash",
          "vendor": "lodash-es",
          "versions": [
            {
              "lessThanOrEqual": "4.17.22",
              "status": "affected",
              "version": "4.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "modules": [
            "https://github.com/lodash/lodash"
          ],
          "product": "lodash.unset",
          "repo": "https://github.com/lodash/lodash",
          "vendor": "lodash.unset",
          "versions": [
            {
              "status": "affected",
              "version": "4.0.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Lukas Euler"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Jordan Harband"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "Micha\u0142 Lipi\u0144ski"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Ulises Gasc\u00f3n"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eLodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the \u003ccode\u003e_.unset\u003c/code\u003e\u0026nbsp;and \u003ccode\u003e_.omit\u003c/code\u003e\u0026nbsp;functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.\u003c/p\u003e\u003cp\u003eThe issue permits deletion of properties but does not allow overwriting their original behavior.\u003c/p\u003e\u003cp\u003eThis issue is patched on 4.17.23\u003c/p\u003e\u003cbr\u003e"
            }
          ],
          "value": "Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset\u00a0and _.omit\u00a0functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.\n\nThe issue permits deletion of properties but does not allow overwriting their original behavior.\n\nThis issue is patched on 4.17.23"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-77",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-77 Manipulating User-Controlled Variables"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "PROOF_OF_CONCEPT",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1321",
              "description": "CWE-1321 Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-21T19:05:28.846Z",
        "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
        "shortName": "openjs"
      },
      "references": [
        {
          "url": "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg"
        }
      ],
      "source": {
        "advisory": "GHSA-xxjr-mmjv-4gpg",
        "discovery": "EXTERNAL"
      },
      "title": "Prototype Pollution Vulnerability in Lodash _.unset and _.omit functions",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
    "assignerShortName": "openjs",
    "cveId": "CVE-2025-13465",
    "datePublished": "2026-01-21T19:05:28.846Z",
    "dateReserved": "2025-11-20T02:16:12.128Z",
    "dateUpdated": "2026-01-21T19:43:38.268Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-67725 (GCVE-0-2025-67725)

Vulnerability from cvelistv5 – Published: 2025-12-12 05:49 – Updated: 2025-12-18 18:51

Title

Tornado is Vulnerable to Quadratic DoS via Repeated Header Coalescing

Summary

Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, a single maliciously crafted HTTP request can block the server's event loop for an extended period, caused by the HTTPHeaders.add method. The function accumulates values using string concatenation when the same header name is repeated, causing a Denial of Service (DoS). Due to Python string immutability, each concatenation copies the entire string, resulting in O(n²) time complexity. The severity can vary from high if max_header_size has been increased from its default, to low if it has its default value of 64KB. This issue is fixed in version 6.5.3.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

GitHub_M

References

URL

Tags

	https://github.com/tornadoweb/tornado/security/ad…	x_refsource_CONFIRM
	https://github.com/tornadoweb/tornado/commit/7714…	x_refsource_MISC
	https://github.com/tornadoweb/tornado/releases/ta…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	tornadoweb	tornado	Affected: < 6.5.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-67725",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-18T18:50:52.619221Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-18T18:51:00.369Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "tornado",
          "vendor": "tornadoweb",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 6.5.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, a single maliciously crafted HTTP request can block the server\u0027s event loop for an extended period, caused by the HTTPHeaders.add method. The function accumulates values using string concatenation when the same header name is repeated, causing a Denial of Service (DoS).  Due to Python string immutability, each concatenation copies the entire string, resulting in O(n\u00b2) time complexity. The severity can vary from high if max_header_size has been increased from its default, to low if it has its default value of 64KB. This issue is fixed in version 6.5.3."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-12T05:49:41.523Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-c98p-7wgm-6p64",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-c98p-7wgm-6p64"
        },
        {
          "name": "https://github.com/tornadoweb/tornado/commit/771472cfdaeebc0d89a9cc46e249f8891a6b29cd",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/tornadoweb/tornado/commit/771472cfdaeebc0d89a9cc46e249f8891a6b29cd"
        },
        {
          "name": "https://github.com/tornadoweb/tornado/releases/tag/v6.5.3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/tornadoweb/tornado/releases/tag/v6.5.3"
        }
      ],
      "source": {
        "advisory": "GHSA-c98p-7wgm-6p64",
        "discovery": "UNKNOWN"
      },
      "title": "Tornado is Vulnerable to Quadratic DoS via Repeated Header Coalescing"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-67725",
    "datePublished": "2025-12-12T05:49:41.523Z",
    "dateReserved": "2025-12-10T19:25:20.819Z",
    "dateUpdated": "2025-12-18T18:51:00.369Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-67726 (GCVE-0-2025-67726)

Vulnerability from cvelistv5 – Published: 2025-12-12 06:13 – Updated: 2025-12-18 18:48

Title

Tornado is Vulnerable to Quadratic DoS via Crafted Multipart Parameters

Summary

Tornado is a Python web framework and asynchronous networking library. Versions 6.5.2 and below use an inefficient algorithm when parsing parameters for HTTP header values, potentially causing a DoS. The _parseparam function in httputil.py is used to parse specific HTTP header values, such as those in multipart/form-data and repeatedly calls string.count() within a nested loop while processing quoted semicolons. If an attacker sends a request with a large number of maliciously crafted parameters in a Content-Disposition header, the server's CPU usage increases quadratically (O(n²)) during parsing. Due to Tornado's single event loop architecture, a single malicious request can cause the entire server to become unresponsive for an extended period. This issue is fixed in version 6.5.3.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-834 - Excessive Iteration
CWE-400 - Uncontrolled Resource Consumption

Assigner

GitHub_M

References

URL

Tags

	https://github.com/tornadoweb/tornado/security/ad…	x_refsource_CONFIRM
	https://github.com/tornadoweb/tornado/commit/7714…	x_refsource_MISC
	https://github.com/tornadoweb/tornado/releases/ta…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	tornadoweb	tornado	Affected: < 6.5.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-67726",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-18T18:47:53.473225Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-18T18:48:49.007Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "tornado",
          "vendor": "tornadoweb",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 6.5.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Tornado is a Python web framework and asynchronous networking library. Versions 6.5.2 and below use an inefficient algorithm when parsing parameters for HTTP header values, potentially causing a DoS. The _parseparam function in httputil.py is used to parse specific HTTP header values, such as those in multipart/form-data and repeatedly calls string.count() within a nested loop while processing quoted semicolons. If an attacker sends a request with a large number of maliciously crafted parameters in a Content-Disposition header, the server\u0027s CPU usage increases quadratically (O(n\u00b2)) during parsing. Due to Tornado\u0027s single event loop architecture, a single malicious request can cause the entire server to become unresponsive for an extended period. This issue is fixed in version 6.5.3."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-834",
              "description": "CWE-834: Excessive Iteration",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-12T06:13:51.336Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-jhmp-mqwm-3gq8",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-jhmp-mqwm-3gq8"
        },
        {
          "name": "https://github.com/tornadoweb/tornado/commit/771472cfdaeebc0d89a9cc46e249f8891a6b29cd",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/tornadoweb/tornado/commit/771472cfdaeebc0d89a9cc46e249f8891a6b29cd"
        },
        {
          "name": "https://github.com/tornadoweb/tornado/releases/tag/v6.5.3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/tornadoweb/tornado/releases/tag/v6.5.3"
        }
      ],
      "source": {
        "advisory": "GHSA-jhmp-mqwm-3gq8",
        "discovery": "UNKNOWN"
      },
      "title": "Tornado is Vulnerable to Quadratic DoS via Crafted Multipart Parameters"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-67726",
    "datePublished": "2025-12-12T06:13:51.336Z",
    "dateReserved": "2025-12-10T19:25:20.819Z",
    "dateUpdated": "2025-12-18T18:48:49.007Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2026:2462

CVE-2025-13465 (GCVE-0-2025-13465)

CVE-2025-67725 (GCVE-0-2025-67725)

CVE-2025-67726 (GCVE-0-2025-67726)

Tags

Sightings

Nomenclature