CVE-2025-47287 — Allocation of Resources Without Limits or Throttling in Tornado

CWE-770 — Allocation of Resources Without Limits or Throttling8 documents6 sources

Severity

7.5HIGHNVD

EPSS

1.2%

top 21.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tornadoweb Tornado Debian Python-tornado Debian Linux

Timeline

PublishedMay 15

Latest updateJun 2

Description

Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous. All versions of Tornado prior to 6.5.0 are affected. The vulnerable parser is enabled by default. Upg…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶debiandebian/python-tornado< python-tornado 6.2.0-3+deb12u2 (bookworm)

▶NVDtornadoweb/tornado< 6.5.0

▶PyPItornadoweb/tornado< 6.5

Also affects: Debian Linux 11.0

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

python-tornado vulnerability↗2025-06-02

▶

GHSA

Tornado vulnerable to excessive logging caused by malformed multipart form data↗2025-05-16

▶

OSV

Tornado vulnerable to excessive logging caused by malformed multipart form data↗2025-05-16

▶

OSV

CVE-2025-47287: Tornado is a Python web framework and asynchronous networking library↗2025-05-15

▶

📋Vendor Advisories

Ubuntu

Tornado vulnerability↗2025-06-02

▶

Red Hat

tornado: Tornado Multipart Form-Data Denial of Service↗2025-05-15

▶

Debian

CVE-2025-47287: python-tornado - Tornado is a Python web framework and asynchronous networking library. When Torn...↗2025

▶