Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-7cx3-6m66-7c5m: Tornado vulnerable to excessive logging caused by malformed multipart form data

Summary

When Tornado’s multipart/form-data parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous.

Affected versions

All versions of Tornado prior to 6.5.0 are affected. The vulnerable parser is enabled by default.

Solution

Upgrade to Tornado version 6.5. In the meantime, risk can be mitigated by blocking Content-Type: multipart/form-data in a proxy.

ghsa
Open in Source
#vulnerability#web#git

Skip to content

Navigation Menu

    • GitHub Copilot

      Write better code with AI

    • GitHub Advanced Security

      Find and fix vulnerabilities

    • Actions

      Automate any workflow

    • Codespaces

      Instant dev environments

    • Issues

      Plan and track work

    • Code Review

      Manage code changes

    • Discussions

      Collaborate outside of code

    • Code Search

      Find more, search less

  • Explore

    • Learning Pathways
    • Events & Webinars
    • Ebooks & Whitepapers
    • Customer Stories
    • Partners
    • Executive Insights

    • GitHub Sponsors

      Fund open source developers

*   The ReadME Project
    
    GitHub community articles

    • Enterprise platform

      AI-powered developer platform

  • Pricing

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

Sign up

Appearance settings

  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2025-47287

Tornado vulnerable to excessive logging caused by malformed multipart form data

High severity GitHub Reviewed Published May 15, 2025 in tornadoweb/tornado • Updated May 16, 2025

Package

pip tornado (pip)

Affected versions

< 6.5.0

Description

Summary

When Tornado’s multipart/form-data parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous.

Affected versions

All versions of Tornado prior to 6.5.0 are affected. The vulnerable parser is enabled by default.

Solution

Upgrade to Tornado version 6.5. In the meantime, risk can be mitigated by blocking Content-Type: multipart/form-data in a proxy.

References

  • GHSA-7cx3-6m66-7c5m
  • https://nvd.nist.gov/vuln/detail/CVE-2025-47287
  • tornadoweb/tornado@b39b892

Published to the GitHub Advisory Database

May 16, 2025

Last updated

May 16, 2025

EPSS score

ghsa: Latest News

GHSA-9fwj-9mjf-rhj3: laravel-auth0 SDK Vulnerable to Brute Force Authentication Tags of CookieStore Sessions
ghsa