Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2025-47287

Good to know:

icon
icon

Date: May 15, 2025

Tornado is a Python web framework and asynchronous networking library. When Tornado's "multipart/form-data" parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous. All versions of Tornado prior to 6.5.0 are affected. The vulnerable parser is enabled by default. Upgrade to Tornado version 6.50 to receive a patch. As a workaround, risk can be mitigated by blocking "Content-Type: multipart/form-data" in a proxy.

Severity Score

Related Resources (7)

https://lists.debian.org/debian-lts-announce/2025/05/msg00038.html
https://github.com/tornadoweb/tornado/commit/b39b892bf78fe8fea01dd45199aa88307e7162f3
https://github.com/tornadoweb/tornado/security/advisories/GHSA-7cx3-6m66-7c5m
https://github.com/tornadoweb/tornado
https://security-tracker.debian.org/tracker/CVE-2025-47287
https://nvd.nist.gov/vuln/detail/CVE-2025-47287
https://www.mend.io/vulnerability-database/CVE-2025-47287

Severity Score

Weakness Type (CWE)

Allocation of Resources Without Limits or Throttling

CWE-770

Top Fix

icon

Upgrade Version

Upgrade to version tornado - 6.5;tornado - 6.5;tornado - 6.5;https://github.com/tornadoweb/tornado.git - v6.5.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): NONE
Availability (A): HIGH

Do you need more information?

Contact Us