Description

Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous. All versions of Tornado prior to 6.5.0 are affected. The vulnerable parser is enabled by default. Upgrade to Tornado version 6.50 to receive a patch. As a workaround, risk can be mitigated by blocking `Content-Type: multipart/form-data` in a proxy.

INFO

Published Date :

2025-05-15T21:17:55.188Z

Last Modified :

2025-05-29T06:04:05.899Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-47287 vulnerability.

Vendors Products
Debian
  • Debian Linux
Redhat
  • Enterprise Linux
  • Rhel E4s
  • Rhel Els
  • Rhel Eus
  • Rhel Tus
Tornadoweb
  • Tornado
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-47287.

URL Resource
https://github.com/tornadoweb/tornado/commit/b39b892bf78fe8fea01dd45199aa88307e7162f3 cve-icon cve-icon cve-icon
https://github.com/tornadoweb/tornado/security/advisories/GHSA-7cx3-6m66-7c5m cve-icon cve-icon cve-icon
https://lists.debian.org/debian-lts-announce/2025/05/msg00038.html cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-47287 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-47287 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact