Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog Latest Updates Security News
Sign In Sign Up

CVE-2025-47287

HIGH
Published 2025-05-15T21:17:55.188Z
Actions:

CVSS Score

V3.1
7.5
/10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score Metrics
Exploitability: N/A Impact: N/A

Attack Vector Metrics

Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED

Impact Metrics

Confidentiality
NONE
Integrity
NONE
Availability
HIGH

Description

Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous. All versions of Tornado prior to 6.5.0 are affected. The vulnerable parser is enabled by default. Upgrade to Tornado version 6.50 to receive a patch. As a workaround, risk can be mitigated by blocking `Content-Type: multipart/form-data` in a proxy.

Available Exploits

No exploits available for this CVE.

Related News

High DoS Risk: Tornado’s Default Parser Exposes Apps (CVE-2025-47287)

A newly disclosed vulnerability in the Tornado Python web framework, tracked as CVE-2025-47287, exposes applications to a denial-of-service The post High DoS Risk: Tornado’s Default Parser Exposes Apps (CVE-2025-47287) appeared first on Daily CyberSecurity.

SecurityOnline.info 2025-05-19 00:38
Read More

Affected Products

tornadoweb

tornado

Affected Versions:

< 6.5.0

References

https://github.com/tornadoweb/tornado/security/advisories/GHSA-7cx3-6m66-7c5m
https://github.com/tornadoweb/tornado/commit/b39b892bf78fe8fea01dd45199aa88307e7162f3
Published: 2025-05-15T21:17:55.188Z
Last Modified: 2025-05-29T06:04:05.899Z
Copied to clipboard!