CVE-2025-47287
HIGH7.5EPSS 1.2%Tornado vulnerable to excessive logging caused by malformed multipart form data
發布日:2025/5/16修改日:2026/2/4
描述
### Summary When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous. ### Affected versions All versions of Tornado prior to 6.5 are affected. The vulnerable parser is enabled by default. ### Solution Upgrade to Tornado version 6.5. In the meantime, risk can be mitigated by blocking `Content-Type: multipart/form-data` in a proxy.
受影響套件(4)
- Debian/python-tornadofrom 0, < 6.1.0-1+deb11u2
- Debian/python-tornadofrom 0, < 6.1.0-1+deb11u2
- Debian/python-tornadofrom 0, < 6.2.0-3+deb12u2
- PyPI/tornadofrom 0, < 6.5
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-47287
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2025-47287
- PATCHhttps://github.com/tornadoweb/tornado
- WEBhttps://github.com/tornadoweb/tornado/commit/b39b892bf78fe8fea01dd45199aa88307e7162f3
- WEBhttps://github.com/tornadoweb/tornado/security/advisories/GHSA-7cx3-6m66-7c5m
- WEBhttps://lists.debian.org/debian-lts-announce/2025/05/msg00038.html