Denial of Service Vulnerability in Tornado Web Framework by Tornado
CVE-2025-47287

7.5HIGH

Key Information:

Vendor

Tornadoweb

Status
Tornado
Vendor
CVE Published:
15 May 2025

Badges

πŸ“ˆ Score: 212πŸ‘Ύ Exploit ExistsπŸ“° News Worthy

What is CVE-2025-47287?

CVE-2025-47287 is a denial of service (DoS) vulnerability identified in the Tornado web framework, an open-source Python-based library designed for building web applications and handling asynchronous networking. This vulnerability arises in Tornado's multipart/form-data parser, which, when confronted with specific errors, continues parsing the data while excessively logging warnings. The result is an overwhelming amount of log entries, leading to a degradation of service availability for the affected application. This vulnerability affects all versions of Tornado prior to 6.5.0, and the parser in question is enabled by default, increasing the risks for organizations employing this framework. Organizations that rely on Tornado for web applications could suffer increased operational costs due to service interruptions and could face reputational damage as a consequence of a potential outage.

Potential impact of CVE-2025-47287

  1. Service Availability Disruption: The excessive logging caused by this vulnerability results in potential service outages, as the synchronous nature of Tornado's logging subsystem could hinder the application's ability to process requests effectively.

  2. Resource Exhaustion: The generation of a high volume of logs can lead to resource exhaustion on the server, consuming CPU and disk space, which may impede the performance of the web application and affect other hosted services.

  3. Increased Operational Costs: Organizations may incur additional costs associated with remedial actions required to manage the effects of the DoS attack, including the need for enhanced monitoring, additional server resources, and time spent on incident response and recovery.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

tornado < 6.5.0

News Articles

favicon imageSnyk

Allocation of Resources Without Limits or Throttling in python-tornado | CVE-2025-47287 | Snyk

Allocation of Resources Without Limits or Throttling in python-tornado | CVE-2025-47287

favicon imagewiz.io

CVE-2025-47287 Impact, Exploitability, and Mitigation Steps | Wiz

Understand the critical aspects of CVE-2025-47287 with a detailed vulnerability assessment, exploitation potential, affected technologies, and remediation guidance.

References

https://github.com/tornadoweb/tornado/security/advisories...
x_refsource_CONFIRM
https://github.com/tornadoweb/tornado/commit/b39b892bf78f...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • πŸ‘Ύ

    Exploit known to exist

  • πŸ“°

    First article discovered by wiz.io

  • Vulnerability published

  • Vulnerability Reserved

JSON
.