PT-2025-21576 · Tornado+10 · Tornado+10

Startr4Ck

·

Published

2025-05-15

·

Updated

2026-04-06

·

CVE-2025-47287

CVSS v2.0

7.8

High

VectorAV:N/AC:L/Au:N/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions: Tornado versions prior to 6.5.0
Description: The issue allows remote attackers to generate a high volume of logs, constituting a denial-of-service (DoS) attack, by exploiting Tornado's multipart/form-data parser when it encounters certain errors. The logging subsystem being synchronous compounds this DoS. The vulnerable parser is enabled by default.
Recommendations: For versions prior to 6.5.0, upgrade to Tornado version 6.5.0 to receive a patch. As a temporary workaround, consider blocking Content-Type: multipart/form-data in a proxy to mitigate the risk.

Exploit

Fix

DoS

Allocation of Resources Without Limits

Weakness Enumeration

CWE-770

Related Identifiers

ALSA-2025:8135
ALSA-2025:8136
ALSA-2025:8254
AZL-61860
AZL-61866
BDU:2025-08361
CESA-2025_8254
CVE-2025-47287
DLA-4188-1
DSA-5938-1
GHSA-7CX3-6M66-7C5M
INFSA-2025_8136
INFSA-2025_8254
MGASA-2025-0282
OESA-2025-1554
OESA-2025-1555
OESA-2025-1614
OESA-2025-1615
OESA-2025-1905
OESA-2025-2580
OPENSUSE-SU-2025:15153-1
OPENSUSE-SU-2025:15295-1
OPENSUSE-SU-2025_01649-1
RHSA-2025:8135
RHSA-2025:8136
RHSA-2025:8223
RHSA-2025:8226
RHSA-2025:8254
RHSA-2025:8279
RHSA-2025:8290
RHSA-2025:8291
RHSA-2025:8323
RHSA-2025:8664
RHSA-2025_8136
RHSA-2025_8254
SUSE-SU-2025:01649-1
SUSE-SU-2025:01649-2
SUSE-SU-2025:01726-1
SUSE-SU-2025:01726-2
SUSE-SU-2025:01732-1
SUSE-SU-2025:02491-1
SUSE-SU-2025:02492-1
SUSE-SU-2025:02499-1
SUSE-SU-2025:02500-1
SUSE-SU-2025:02501-1
SUSE-SU-2025:02502-1
SUSE-SU-2025:02534-1
SUSE-SU-2025:20430-1
SUSE-SU-2025:20445-1
SUSE-SU-2025:20487-1
SUSE-SU-2025:20504-1
SUSE-SU-2025_01649-1
SUSE-SU-2025_01726-1
SUSE-SU-2025_01726-2
SUSE-SU-2025_02500-1
SUSE-SU-2025_02501-1
SUSE-SU-2025_02534-1
USN-7547-1

Affected Products

Almalinux
Astra Linux
Centos
Debian
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Tornado
Ubuntu