Search for vulnerabilities
Vulnerability details: VCID-hmev-s7nv-wub2
Vulnerability ID VCID-hmev-s7nv-wub2
Aliases CVE-2025-47287
GHSA-7cx3-6m66-7c5m
Summary Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous. All versions of Tornado prior to 6.5.0 are affected. The vulnerable parser is enabled by default. Upgrade to Tornado version 6.50 to receive a patch. As a workaround, risk can be mitigated by blocking `Content-Type: multipart/form-data` in a proxy.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-770 Allocation of Resources Without Limits or Throttling
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-47287.json
epss 0.00099 https://api.first.org/data/v1/epss?cve=CVE-2025-47287
epss 0.00099 https://api.first.org/data/v1/epss?cve=CVE-2025-47287
epss 0.00099 https://api.first.org/data/v1/epss?cve=CVE-2025-47287
epss 0.00099 https://api.first.org/data/v1/epss?cve=CVE-2025-47287
epss 0.0012 https://api.first.org/data/v1/epss?cve=CVE-2025-47287
epss 0.0012 https://api.first.org/data/v1/epss?cve=CVE-2025-47287
epss 0.0012 https://api.first.org/data/v1/epss?cve=CVE-2025-47287
epss 0.0012 https://api.first.org/data/v1/epss?cve=CVE-2025-47287
epss 0.0012 https://api.first.org/data/v1/epss?cve=CVE-2025-47287
epss 0.0012 https://api.first.org/data/v1/epss?cve=CVE-2025-47287
epss 0.0012 https://api.first.org/data/v1/epss?cve=CVE-2025-47287
epss 0.0012 https://api.first.org/data/v1/epss?cve=CVE-2025-47287
epss 0.0012 https://api.first.org/data/v1/epss?cve=CVE-2025-47287
epss 0.0012 https://api.first.org/data/v1/epss?cve=CVE-2025-47287
epss 0.0012 https://api.first.org/data/v1/epss?cve=CVE-2025-47287
epss 0.0012 https://api.first.org/data/v1/epss?cve=CVE-2025-47287
epss 0.0012 https://api.first.org/data/v1/epss?cve=CVE-2025-47287
epss 0.0012 https://api.first.org/data/v1/epss?cve=CVE-2025-47287
epss 0.0012 https://api.first.org/data/v1/epss?cve=CVE-2025-47287
epss 0.0012 https://api.first.org/data/v1/epss?cve=CVE-2025-47287
epss 0.0013 https://api.first.org/data/v1/epss?cve=CVE-2025-47287
epss 0.0013 https://api.first.org/data/v1/epss?cve=CVE-2025-47287
epss 0.0013 https://api.first.org/data/v1/epss?cve=CVE-2025-47287
epss 0.0013 https://api.first.org/data/v1/epss?cve=CVE-2025-47287
epss 0.0013 https://api.first.org/data/v1/epss?cve=CVE-2025-47287
epss 0.0013 https://api.first.org/data/v1/epss?cve=CVE-2025-47287
epss 0.0013 https://api.first.org/data/v1/epss?cve=CVE-2025-47287
epss 0.0013 https://api.first.org/data/v1/epss?cve=CVE-2025-47287
epss 0.00136 https://api.first.org/data/v1/epss?cve=CVE-2025-47287
epss 0.00136 https://api.first.org/data/v1/epss?cve=CVE-2025-47287
epss 0.00136 https://api.first.org/data/v1/epss?cve=CVE-2025-47287
epss 0.00136 https://api.first.org/data/v1/epss?cve=CVE-2025-47287
cvssv3.1 7.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-7cx3-6m66-7c5m
cvssv3.1 7.5 https://github.com/tornadoweb/tornado
generic_textual HIGH https://github.com/tornadoweb/tornado
cvssv3.1 7.5 https://github.com/tornadoweb/tornado/commit/b39b892bf78fe8fea01dd45199aa88307e7162f3
generic_textual HIGH https://github.com/tornadoweb/tornado/commit/b39b892bf78fe8fea01dd45199aa88307e7162f3
ssvc Track https://github.com/tornadoweb/tornado/commit/b39b892bf78fe8fea01dd45199aa88307e7162f3
cvssv3.1 7.5 https://github.com/tornadoweb/tornado/security/advisories/GHSA-7cx3-6m66-7c5m
cvssv3.1_qr HIGH https://github.com/tornadoweb/tornado/security/advisories/GHSA-7cx3-6m66-7c5m
generic_textual HIGH https://github.com/tornadoweb/tornado/security/advisories/GHSA-7cx3-6m66-7c5m
ssvc Track https://github.com/tornadoweb/tornado/security/advisories/GHSA-7cx3-6m66-7c5m
cvssv3.1 7.5 https://lists.debian.org/debian-lts-announce/2025/05/msg00038.html
generic_textual HIGH https://lists.debian.org/debian-lts-announce/2025/05/msg00038.html
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2025-47287
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2025-47287
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-47287.json
https://api.first.org/data/v1/epss?cve=CVE-2025-47287
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-47287
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/tornadoweb/tornado
https://lists.debian.org/debian-lts-announce/2025/05/msg00038.html
https://nvd.nist.gov/vuln/detail/CVE-2025-47287
1105886 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105886
2366703 https://bugzilla.redhat.com/show_bug.cgi?id=2366703
b39b892bf78fe8fea01dd45199aa88307e7162f3 https://github.com/tornadoweb/tornado/commit/b39b892bf78fe8fea01dd45199aa88307e7162f3
GHSA-7cx3-6m66-7c5m https://github.com/advisories/GHSA-7cx3-6m66-7c5m
GHSA-7cx3-6m66-7c5m https://github.com/tornadoweb/tornado/security/advisories/GHSA-7cx3-6m66-7c5m
RHSA-2025:8135 https://access.redhat.com/errata/RHSA-2025:8135
RHSA-2025:8136 https://access.redhat.com/errata/RHSA-2025:8136
RHSA-2025:8223 https://access.redhat.com/errata/RHSA-2025:8223
RHSA-2025:8226 https://access.redhat.com/errata/RHSA-2025:8226
RHSA-2025:8254 https://access.redhat.com/errata/RHSA-2025:8254
RHSA-2025:8279 https://access.redhat.com/errata/RHSA-2025:8279
RHSA-2025:8290 https://access.redhat.com/errata/RHSA-2025:8290
RHSA-2025:8291 https://access.redhat.com/errata/RHSA-2025:8291
RHSA-2025:8323 https://access.redhat.com/errata/RHSA-2025:8323
RHSA-2025:8664 https://access.redhat.com/errata/RHSA-2025:8664
USN-7547-1 https://usn.ubuntu.com/7547-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-47287.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/tornadoweb/tornado
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/tornadoweb/tornado/commit/b39b892bf78fe8fea01dd45199aa88307e7162f3
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-16T13:36:22Z/ Found at https://github.com/tornadoweb/tornado/commit/b39b892bf78fe8fea01dd45199aa88307e7162f3
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/tornadoweb/tornado/security/advisories/GHSA-7cx3-6m66-7c5m
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-16T13:36:22Z/ Found at https://github.com/tornadoweb/tornado/security/advisories/GHSA-7cx3-6m66-7c5m
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://lists.debian.org/debian-lts-announce/2025/05/msg00038.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2025-47287
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.28716
EPSS Score 0.00099
Published At May 16, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-05-16T20:06:43.378803+00:00 Debian Importer Import https://security-tracker.debian.org/tracker/data/json 36.0.0