{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-47287", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-05-05T16:53:10.374Z", "datePublished": "2025-05-15T21:17:55.188Z", "dateUpdated": "2025-05-29T06:04:05.899Z"}, "containers": {"cna": {"title": "Tornado vulnerable to excessive logging caused by malformed multipart form data", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-7cx3-6m66-7c5m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-7cx3-6m66-7c5m"}, {"name": "https://github.com/tornadoweb/tornado/commit/b39b892bf78fe8fea01dd45199aa88307e7162f3", "tags": ["x_refsource_MISC"], "url": "https://github.com/tornadoweb/tornado/commit/b39b892bf78fe8fea01dd45199aa88307e7162f3"}], "affected": [{"vendor": "tornadoweb", "product": "tornado", "versions": [{"version": "< 6.5.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-05-15T21:17:55.188Z"}, "descriptions": [{"lang": "en", "value": "Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous. All versions of Tornado prior to 6.5.0 are affected. The vulnerable parser is enabled by default. Upgrade to Tornado version 6.50 to receive a patch. As a workaround, risk can be mitigated by blocking `Content-Type: multipart/form-data` in a proxy."}], "source": {"advisory": "GHSA-7cx3-6m66-7c5m", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-16T13:36:22.375175Z", "id": "CVE-2025-47287", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-16T13:36:31.466Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00038.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-05-29T06:04:05.899Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00038.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-05-29T06:04:05.899Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-47287", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-16T13:36:22.375175Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-16T13:36:25.413Z"}}], "cna": {"title": "Tornado vulnerable to excessive logging caused by malformed multipart form data", "source": {"advisory": "GHSA-7cx3-6m66-7c5m", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "tornadoweb", "product": "tornado", "versions": [{"status": "affected", "version": "< 6.5.0"}]}], "references": [{"url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-7cx3-6m66-7c5m", "name": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-7cx3-6m66-7c5m", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/tornadoweb/tornado/commit/b39b892bf78fe8fea01dd45199aa88307e7162f3", "name": "https://github.com/tornadoweb/tornado/commit/b39b892bf78fe8fea01dd45199aa88307e7162f3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous. All versions of Tornado prior to 6.5.0 are affected. The vulnerable parser is enabled by default. Upgrade to Tornado version 6.50 to receive a patch. As a workaround, risk can be mitigated by blocking `Content-Type: multipart/form-data` in a proxy."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-05-15T21:17:55.188Z"}}}, "cveMetadata": {"cveId": "CVE-2025-47287", "state": "PUBLISHED", "dateUpdated": "2025-05-29T06:04:05.899Z", "dateReserved": "2025-05-05T16:53:10.374Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-05-15T21:17:55.188Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous. All versions of Tornado prior to 6.5.0 are affected. The vulnerable parser is enabled by default. Upgrade to Tornado version 6.50 to receive a patch. As a workaround, risk can be mitigated by blocking `Content-Type: multipart/form-data` in a proxy."}, {"lang": "es", "value": "Tornado es un framework web de Python y una librer\u00eda de redes as\u00edncronas. Cuando el analizador ``multipart/form-data`` de Tornado detecta ciertos errores, registra una advertencia, pero contin\u00faa intentando analizar el resto de los datos. Esto permite a atacantes remotos generar un volumen extremadamente alto de registros, lo que constituye un ataque de denegaci\u00f3n de servicio (DoS). Este DoS se ve agravado por el hecho de que el subsistema de registro es s\u00edncrono. Todas las versiones de Tornado anteriores a la 6.5.0 est\u00e1n afectadas. El analizador vulnerable est\u00e1 habilitado por defecto. Actualice a la versi\u00f3n 6.50 de Tornado para recibir un parche. Como workaround, se puede mitigar el riesgo bloqueando `Content-Type: multipart/form-data` en un proxy."}], "id": "CVE-2025-47287", "lastModified": "2025-05-29T06:15:23.090", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "[email protected]", "type": "Secondary"}]}, "published": "2025-05-15T22:15:18.827", "references": [{"source": "[email protected]", "url": "https://github.com/tornadoweb/tornado/commit/b39b892bf78fe8fea01dd45199aa88307e7162f3"}, {"source": "[email protected]", "url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-7cx3-6m66-7c5m"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00038.html"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "[email protected]", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:8135", "cpe": "cpe:/o:redhat:enterprise_linux:10.0", "package": "python-tornado-0:6.4.2-1.el10_0.1", "product_name": "Red Hat Enterprise Linux 10", "release_date": "2025-05-26T00:00:00Z"}, {"advisory": "RHSA-2025:8664", "cpe": "cpe:/o:redhat:rhel_els:7", "package": "python-tornado-0:4.2.1-5.el7_9.1", "product_name": "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "release_date": "2025-06-09T00:00:00Z"}, {"advisory": "RHSA-2025:8254", "cpe": "cpe:/a:redhat:enterprise_linux:8::highavailability", "package": "pcs-0:0.10.18-2.el8_10.5", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2025-05-28T00:00:00Z"}, {"advisory": "RHSA-2025:8323", "cpe": "cpe:/a:redhat:rhel_tus:8.4::highavailability", "package": "pcs-0:0.10.8-1.el8_4.7", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2025-05-29T00:00:00Z"}, {"advisory": "RHSA-2025:8323", "cpe": "cpe:/a:redhat:rhel_e4s:8.4::highavailability", "package": "pcs-0:0.10.8-1.el8_4.7", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2025-05-29T00:00:00Z"}, {"advisory": "RHSA-2025:8290", "cpe": "cpe:/a:redhat:rhel_tus:8.6::highavailability", "package": "pcs-0:0.10.12-6.el8_6.8", "product_name": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date": "2025-05-29T00:00:00Z"}, {"advisory": "RHSA-2025:8290", "cpe": "cpe:/a:redhat:rhel_e4s:8.6::highavailability", "package": "pcs-0:0.10.12-6.el8_6.8", "product_name": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date": "2025-05-29T00:00:00Z"}, {"advisory": "RHSA-2025:8279", "cpe": "cpe:/a:redhat:rhel_eus:8.8::highavailability", "package": "pcs-0:0.10.15-4.el8_8.6", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2025-05-28T00:00:00Z"}, {"advisory": "RHSA-2025:8136", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "python-tornado-0:6.4.2-2.el9_6.2", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-05-26T00:00:00Z"}, {"advisory": "RHSA-2025:8291", "cpe": "cpe:/a:redhat:rhel_e4s:9.0::highavailability", "package": "pcs-0:0.11.1-10.el9_0.8", "product_name": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date": "2025-05-29T00:00:00Z"}, {"advisory": "RHSA-2025:8226", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "python-tornado-0:6.4.2-1.el9_2.1", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2025-05-27T00:00:00Z"}, {"advisory": "RHSA-2025:8223", "cpe": "cpe:/a:redhat:rhel_eus:9.4", "package": "python-tornado-0:6.4.2-1.el9_4.1", "product_name": "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date": "2025-05-27T00:00:00Z"}], "bugzilla": {"description": "tornado: Tornado Multipart Form-Data Denial of Service", "id": "2366703", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2366703"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-770", "details": ["Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous. All versions of Tornado prior to 6.5.0 are affected. The vulnerable parser is enabled by default. Upgrade to Tornado version 6.50 to receive a patch. As a workaround, risk can be mitigated by blocking `Content-Type: multipart/form-data` in a proxy.", "A flaw was found in Tornado. This vulnerability can lead to a a denial of service by generating an extremely high volume of log entries."], "mitigation": {"lang": "en:us", "value": "No mitigation is currently available that meets Red Hat Product Security\u2019s standards for usability, deployment, applicability, or stability."}, "name": "CVE-2025-47287", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "pcs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-ovn-kubernetes", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-ovn-kubernetes-microshift-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-ovn-kubernetes-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "ose-ovn-kubernetes-base-container", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "python-pep517", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "python-tornado", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2025-05-15T21:17:55Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-47287\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-47287\nhttps://github.com/tornadoweb/tornado/commit/b39b892bf78fe8fea01dd45199aa88307e7162f3\nhttps://github.com/tornadoweb/tornado/security/advisories/GHSA-7cx3-6m66-7c5m"], "statement": "This vulnerability marked as Important because it leverages the synchronous nature of the logging subsystem to induce a DoS condition. Specifically, malformed multipart/form-data payloads cause repeated, blocking log writes, which stall the event loop that underpins Tornado\u2019s asynchronous architecture. Furthermore, because the vulnerable multipart parser is enabled by default, applications that are otherwise well-secured and do not even use file uploads can still be targeted unless they explicitly block these requests at a proxy.", "threat_severity": "Important"}