CVE-2025-47287

High CVSS: 7.5

Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous. All versions of Tornado prior to 6.5.0 are affected. The vulnerable parser is enabled by default. Upgrade to Tornado version 6.50 to receive a patch. As a workaround, risk can be mitigated by blocking `Content-Type: multipart/form-data` in a proxy.

Vendor

Tornadoweb

Product

Tornado

CWE

CWE-770

Yayın Tarihi

2025-05-15 22:15:18

Güncelleme

2025-12-23 19:19:44

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-770 Tornado HIGH Tornadoweb 2025

Referanslar

https://github.com/tornadoweb/tornado/commit/b39b892bf78fe8fea01dd45199aa88307e7162f3 https://github.com/tornadoweb/tornado/security/advisories/GHSA-7cx3-6m66-7c5m https://lists.debian.org/debian-lts-announce/2025/05/msg00038.html

Benzer Kayıtlar

High

CVE-2026-31958

Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only l…

High

CVE-2025-67726

Tornado is a Python web framework and asynchronous networking library. Versions 6.5.2 and below use an inefficient algor…

Medium

CVE-2025-67724

Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, the supplied reason…

High

CVE-2025-67725

Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, a single maliciously…