GSA_kwCzR0hTQS03Y3gzLTZtNjYtN2M1bc4ABH_J

High EPSS: 0.00118% (0.31478 Percentile) EPSS:

Permalink JSON

Tornado vulnerable to excessive logging caused by malformed multipart form data

Affected Packages	Affected Versions	Fixed Versions
pypi:tornado PURL: `pkg:pypi/tornado`	< 6.5	6.5
853 Dependent packages 113,286 Dependent repositories 72,008,601 Downloads last month Affected Version Ranges All affected versions 1.1.1, 1.2.1, 2.1.1, 2.2.1, 2.4.1, 3.0.1, 3.0.2, 3.1.1, 3.2.1, 3.2.2, 4.0.1, 4.0.2, 4.2.1, 4.4.1, 4.4.2, 4.4.3, 4.5.1, 4.5.2, 4.5.3, 5.0.1, 5.0.2, 5.1.1, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.3.1, 6.3.2, 6.3.3, 6.4.1, 6.4.2 All unaffected versions 6.5.1, 6.5.2

Summary

When Tornado's multipart/form-data parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous.

Affected versions

All versions of Tornado prior to 6.5 are affected. The vulnerable parser is enabled by default.

Solution

Upgrade to Tornado version 6.5. In the meantime, risk can be mitigated by blocking Content-Type: multipart/form-data in a proxy.

References:

Identifiers

GHSA-7cx3-6m66-7c5m

CVE-2025-47287

Risk

Severity

High

EPSS

EPSS Percentage: 0.00118

EPSS Percentile: 0.31478

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/tornadoweb/tornado

Date and time

Published

4 months ago

Updated

3 months ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories