Vulnerability Description
Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous. All versions of Tornado prior to 6.5.0 are affected. The vulnerable parser is enabled by default. Upgrade to Tornado version 6.50 to receive a patch. As a workaround, risk can be mitigated by blocking `Content-Type: multipart/form-data` in a proxy.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Tornadoweb | Tornado | < 6.5.0 |
| Debian | Debian Linux | 11.0 |
Related Weaknesses (CWE)
References
- https://github.com/tornadoweb/tornado/commit/b39b892bf78fe8fea01dd45199aa88307e7Patch
- https://github.com/tornadoweb/tornado/security/advisories/GHSA-7cx3-6m66-7c5mVendor Advisory
- https://lists.debian.org/debian-lts-announce/2025/05/msg00038.htmlMailing ListThird Party Advisory
FAQ
What is CVE-2025-47287?
CVE-2025-47287 is a vulnerability with a CVSS score of 7.5 (HIGH). Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the rema...
How severe is CVE-2025-47287?
CVE-2025-47287 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-47287?
Check the references section above for vendor advisories and patch information. Affected products include: Tornadoweb Tornado, Debian Debian Linux.