VulnerableCode Package Details - pkg:deb/debian/python-tornado@6.2.0-3%2Bdeb12u1

Search for packages

Vulnerability	Summary	Fixed by
VCID-hmev-s7nv-wub2 Aliases: CVE-2025-47287 GHSA-7cx3-6m66-7c5m	Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous. All versions of Tornado prior to 6.5.0 are affected. The vulnerable parser is enabled by default. Upgrade to Tornado version 6.50 to receive a patch. As a workaround, risk can be mitigated by blocking `Content-Type: multipart/form-data` in a proxy.	6.2.0-3+deb12u2 Affected by 0 other vulnerabilities. 6.4.2-3 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-hmev-s7nv-wub2
Aliases:
CVE-2025-47287
GHSA-7cx3-6m66-7c5m

Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous. All versions of Tornado prior to 6.5.0 are affected. The vulnerable parser is enabled by default. Upgrade to Tornado version 6.50 to receive a patch. As a workaround, risk can be mitigated by blocking `Content-Type: multipart/form-data` in a proxy.

6.2.0-3+deb12u2
Affected by 0 other vulnerabilities.

6.4.2-3
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-1ucn-3yzf-73c1	Tornado has an HTTP cookie parsing DoS vulnerability	CVE-2024-52804 GHSA-8w49-h785-mj3c
VCID-9bab-qq7f-aaah	Open redirect in Tornado	CVE-2023-28370 GHSA-hj3f-6gcp-jg8j PYSEC-2023-75

Vulnerability

Summary

Aliases

VCID-1ucn-3yzf-73c1

Tornado has an HTTP cookie parsing DoS vulnerability

CVE-2024-52804
GHSA-8w49-h785-mj3c

VCID-9bab-qq7f-aaah

Open redirect in Tornado

CVE-2023-28370
GHSA-hj3f-6gcp-jg8j
PYSEC-2023-75

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-06-22T16:52:09.671337+00:00	Debian Importer	Fixing	VCID-9bab-qq7f-aaah	None	36.1.3
2025-06-21T06:55:10.235535+00:00	Debian Importer	Affected by	VCID-hmev-s7nv-wub2	https://security-tracker.debian.org/tracker/data/json	36.1.3
2025-06-21T01:34:40.103592+00:00	Debian Importer	Fixing	VCID-9bab-qq7f-aaah	https://security-tracker.debian.org/tracker/data/json	36.1.3
2025-06-20T22:09:08.554242+00:00	Debian Importer	Fixing	VCID-1ucn-3yzf-73c1	https://security-tracker.debian.org/tracker/data/json	36.1.3
2025-05-31T21:13:32.476915+00:00	Debian Importer	Affected by	VCID-hmev-s7nv-wub2	https://security-tracker.debian.org/tracker/data/json	36.0.0
2025-04-13T02:44:47.648248+00:00	Debian Oval Importer	Fixing	VCID-9bab-qq7f-aaah	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	36.0.0
2025-04-13T02:42:12.416595+00:00	Debian Oval Importer	Fixing	VCID-1ucn-3yzf-73c1	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	36.0.0
2025-04-06T09:49:01.706169+00:00	Debian Importer	Fixing	VCID-9bab-qq7f-aaah	None	36.0.0
2025-04-04T04:19:10.022270+00:00	Debian Importer	Fixing	VCID-9bab-qq7f-aaah	https://security-tracker.debian.org/tracker/data/json	36.0.0
2025-04-04T00:47:29.970945+00:00	Debian Importer	Fixing	VCID-1ucn-3yzf-73c1	https://security-tracker.debian.org/tracker/data/json	36.0.0
2025-02-22T05:32:59.593246+00:00	Debian Importer	Fixing	VCID-1ucn-3yzf-73c1	https://security-tracker.debian.org/tracker/data/json	35.1.0
2025-02-21T10:29:20.146529+00:00	Debian Importer	Fixing	VCID-9bab-qq7f-aaah	None	35.1.0
2025-02-21T10:29:16.761610+00:00	Debian Importer	Fixing	VCID-9bab-qq7f-aaah	https://security-tracker.debian.org/tracker/data/json	35.1.0