7.5

CVSS Score

Basic Information

CVE ID

CVE-2025-47287

GHSA ID

GHSA-7cx3-6m66-7c5m

EPSS Score

CWE

CWE-770

Published

5/16/2025

Updated

5/16/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-47287

CVE-2025-47287:
Tornado vulnerable to excessive logging caused by malformed multipart form data

Summary

When Tornado's multipart/form-data parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous.

Affected versions

All versions of Tornado prior to 6.5.0 are affected. The vulnerable parser is enabled by default.

Solution

Upgrade to Tornado version 6.5. In the meantime, risk can be mitigated by blocking Content-Type: multipart/form-data in a proxy.

(GitHub Advisory)

7.5

CVSS Score

Basic Information

CVE ID

CVE-2025-47287

GHSA ID

GHSA-7cx3-6m66-7c5m

EPSS Score

CWE

CWE-770

Published

5/16/2025

Updated

5/16/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
tornado	pip	< 6.5.0	6.5.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in Tornado's multipart/form-data parser, which, prior to the patch, would log warnings upon encountering errors but continue parsing. This allowed for excessive log generation, leading to a DoS. The provided commit b39b892bf78fe8fea01dd45199aa88307e7162f3 modifies tornado/httputil.py. Specifically, the functions parse_body_arguments and parse_multipart_form_data were changed to raise HTTPInputError instead of calling gen_log.warning when malformed data was encountered. These two functions are therefore the ones that contained the vulnerable logic. During exploitation, these functions would be in the call stack and responsible for the excessive logging. The changes in tornado/web.py (specifically in RequestHandler._execute) are part of the mitigation to handle these new exceptions gracefully, but the core vulnerability was within the parsing functions in httputil.py.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry W**n Torn**o's ``multip*rt/*orm-**t*`` p*rs*r *n*ount*rs **rt*in *rrors, it lo*s * w*rnin* *ut *ontinu*s tryin* to p*rs* t** r*m*in**r o* t** **t*. T*is *llows r*mot* *tt**k*rs to **n*r*t* *n *xtr*m*ly *i** volum* o* lo*s, *onstitutin* *

Reasoning

T** vuln*r**ility li*s in Torn**o's multip*rt/*orm-**t* p*rs*r, w*i**, prior to t** p*t**, woul* lo* w*rnin*s upon *n*ount*rin* *rrors *ut *ontinu* p*rsin*. T*is *llow** *or *x**ssiv* lo* **n*r*tion, l***in* to * *oS. T** provi*** *ommit `***********

7.5

Basic Information

Concerned about an active attack path?

CVE-2025-47287: Tornado vulnerable to excessive logging caused by malformed multipart form data

Summary

Affected versions

Solution

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-47287:
Tornado vulnerable to excessive logging caused by malformed multipart form data

Vulnerability Intelligence
Miggo AI