VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-62bx-a5uf-j3b4

Essentials
Severities (30)
References (23)
Severity details (16)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-62bx-a5uf-j3b4
Aliases	CVE-2025-47287 GHSA-7cx3-6m66-7c5m
Summary	Tornado vulnerable to excessive logging caused by malformed multipart form data ### Summary When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous. ### Affected versions All versions of Tornado prior to 6.5 are affected. The vulnerable parser is enabled by default. ### Solution Upgrade to Tornado version 6.5. In the meantime, risk can be mitigated by blocking `Content-Type: multipart/form-data` in a proxy.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-770	Allocation of Resources Without Limits or Throttling
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	7.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-47287.json
epss	0.01164	https://api.first.org/data/v1/epss?cve=CVE-2025-47287
epss	0.01164	https://api.first.org/data/v1/epss?cve=CVE-2025-47287
epss	0.01164	https://api.first.org/data/v1/epss?cve=CVE-2025-47287
epss	0.01164	https://api.first.org/data/v1/epss?cve=CVE-2025-47287
epss	0.01164	https://api.first.org/data/v1/epss?cve=CVE-2025-47287
epss	0.01164	https://api.first.org/data/v1/epss?cve=CVE-2025-47287
epss	0.01164	https://api.first.org/data/v1/epss?cve=CVE-2025-47287
epss	0.01164	https://api.first.org/data/v1/epss?cve=CVE-2025-47287
epss	0.01164	https://api.first.org/data/v1/epss?cve=CVE-2025-47287
epss	0.01164	https://api.first.org/data/v1/epss?cve=CVE-2025-47287
epss	0.01164	https://api.first.org/data/v1/epss?cve=CVE-2025-47287
epss	0.01164	https://api.first.org/data/v1/epss?cve=CVE-2025-47287
epss	0.01164	https://api.first.org/data/v1/epss?cve=CVE-2025-47287
epss	0.01164	https://api.first.org/data/v1/epss?cve=CVE-2025-47287
cvssv3.1	7.5	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-7cx3-6m66-7c5m
cvssv3.1	7.5	https://github.com/tornadoweb/tornado
generic_textual	HIGH	https://github.com/tornadoweb/tornado
cvssv3.1	7.5	https://github.com/tornadoweb/tornado/commit/b39b892bf78fe8fea01dd45199aa88307e7162f3
generic_textual	HIGH	https://github.com/tornadoweb/tornado/commit/b39b892bf78fe8fea01dd45199aa88307e7162f3
ssvc	Track	https://github.com/tornadoweb/tornado/commit/b39b892bf78fe8fea01dd45199aa88307e7162f3
cvssv3.1	7.5	https://github.com/tornadoweb/tornado/security/advisories/GHSA-7cx3-6m66-7c5m
cvssv3.1_qr	HIGH	https://github.com/tornadoweb/tornado/security/advisories/GHSA-7cx3-6m66-7c5m
generic_textual	HIGH	https://github.com/tornadoweb/tornado/security/advisories/GHSA-7cx3-6m66-7c5m
ssvc	Track	https://github.com/tornadoweb/tornado/security/advisories/GHSA-7cx3-6m66-7c5m
cvssv3.1	7.5	https://lists.debian.org/debian-lts-announce/2025/05/msg00038.html
generic_textual	HIGH	https://lists.debian.org/debian-lts-announce/2025/05/msg00038.html
cvssv3.1	7.5	https://nvd.nist.gov/vuln/detail/CVE-2025-47287
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2025-47287

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-47287.json
		https://api.first.org/data/v1/epss?cve=CVE-2025-47287
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-47287
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/tornadoweb/tornado
		https://github.com/tornadoweb/tornado/commit/b39b892bf78fe8fea01dd45199aa88307e7162f3
		https://github.com/tornadoweb/tornado/security/advisories/GHSA-7cx3-6m66-7c5m
		https://lists.debian.org/debian-lts-announce/2025/05/msg00038.html
		https://nvd.nist.gov/vuln/detail/CVE-2025-47287
1105886		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105886
2366703		https://bugzilla.redhat.com/show_bug.cgi?id=2366703
GHSA-7cx3-6m66-7c5m		https://github.com/advisories/GHSA-7cx3-6m66-7c5m
RHSA-2025:8135		https://access.redhat.com/errata/RHSA-2025:8135
RHSA-2025:8136		https://access.redhat.com/errata/RHSA-2025:8136
RHSA-2025:8223		https://access.redhat.com/errata/RHSA-2025:8223
RHSA-2025:8226		https://access.redhat.com/errata/RHSA-2025:8226
RHSA-2025:8254		https://access.redhat.com/errata/RHSA-2025:8254
RHSA-2025:8279		https://access.redhat.com/errata/RHSA-2025:8279
RHSA-2025:8290		https://access.redhat.com/errata/RHSA-2025:8290
RHSA-2025:8291		https://access.redhat.com/errata/RHSA-2025:8291
RHSA-2025:8323		https://access.redhat.com/errata/RHSA-2025:8323
RHSA-2025:8664		https://access.redhat.com/errata/RHSA-2025:8664
USN-7547-1		https://usn.ubuntu.com/7547-1/

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-47287.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/tornadoweb/tornado

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/tornadoweb/tornado/commit/b39b892bf78fe8fea01dd45199aa88307e7162f3

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-16T13:36:22Z/ Found at https://github.com/tornadoweb/tornado/commit/b39b892bf78fe8fea01dd45199aa88307e7162f3

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/tornadoweb/tornado/security/advisories/GHSA-7cx3-6m66-7c5m

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-16T13:36:22Z/ Found at https://github.com/tornadoweb/tornado/security/advisories/GHSA-7cx3-6m66-7c5m

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://lists.debian.org/debian-lts-announce/2025/05/msg00038.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2025-47287

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.78571
EPSS Score	0.01164
Published At	April 2, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:57:02.716568+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-7cx3-6m66-7c5m/GHSA-7cx3-6m66-7c5m.json	38.0.0