CVE-2025-47287
Publication date 15 May 2025
Last updated 4 June 2025
Ubuntu priority
Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous. All versions of Tornado prior to 6.5.0 are affected. The vulnerable parser is enabled by default. Upgrade to Tornado version 6.50 to receive a patch. As a workaround, risk can be mitigated by blocking `Content-Type: multipart/form-data` in a proxy.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| python-tornado | 25.04 plucky |
Fixed 6.4.2-1ubuntu0.25.04.1
|
| 24.10 oracular |
Fixed 6.4.1-2ubuntu0.2
|
|
| 24.04 LTS noble |
Fixed 6.4.0-1ubuntu0.2
|
|
| 22.04 LTS jammy |
Fixed 6.1.0-3ubuntu0.1~esm2
|
|
| 20.04 LTS focal | Ignored change too intrusive | |
| 18.04 LTS bionic | Ignored change too intrusive | |
| 16.04 LTS xenial | Ignored change too intrusive |
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu ProNotes
shishirsub10
test failed by the patch in releases below focal, using a pre-patch to fix the test breaks the functionality
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.5 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-7547-1
- Tornado vulnerability
- 2 June 2025