PT-2025-21576 · Tornado+10 · Tornado+10
Startr4Ck
·
Publicado
2025-05-15
·
Atualizado
2026-06-03
·
CVE-2025-47287
CVSS v2.0
7.8
Alta
| Vetor | AV:N/AC:L/Au:N/C:N/I:N/A:C |
Name of the Vulnerable Software and Affected Versions:
Tornado versions prior to 6.5.0
Description:
The issue allows remote attackers to generate a high volume of logs, constituting a denial-of-service (DoS) attack, by exploiting Tornado's
multipart/form-data parser when it encounters certain errors. The logging subsystem being synchronous compounds this DoS. The vulnerable parser is enabled by default.Recommendations:
For versions prior to 6.5.0, upgrade to Tornado version 6.5.0 to receive a patch.
As a temporary workaround, consider blocking
Content-Type: multipart/form-data in a proxy to mitigate the risk.Exploit
Correção
DoS
Allocation of Resources Without Limits
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Almalinux
Astra Linux
Centos
Debian
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Tornado
Ubuntu