HIGH 7.5

GHSA-7cx3-6m66-7c5m

Tornado vulnerable to excessive logging caused by malformed multipart form data

Details

### Summary

When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous.

### Affected versions

All versions of Tornado prior to 6.5 are affected. The vulnerable parser is enabled by default.

### Solution

Upgrade to Tornado version 6.5. In the meantime, risk can be mitigated by blocking `Content-Type: multipart/form-data` in a proxy.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / tornado

Introduced in: 0 Fixed in: 6.5

Fix pip install --upgrade 'tornado>=6.5'

References

https://github.com/tornadoweb/tornado/security/advisories/GHSA-7cx3-6m66-7c5m [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2025-47287 [ADVISORY]
https://github.com/tornadoweb/tornado/commit/b39b892bf78fe8fea01dd45199aa88307e7162f3 [WEB]
https://github.com/tornadoweb/tornado [PACKAGE]
https://lists.debian.org/debian-lts-announce/2025/05/msg00038.html [WEB]