CVE-2025-47287
Published: 15 May 2025
Summary
CVE-2025-47287 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Tornadoweb Tornado. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 21.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Tornado is a Python web framework and asynchronous networking library whose multipart/form-data parser is vulnerable to uncontrolled resource consumption. When the parser encounters certain errors it logs a warning yet continues processing the remaining data, and because the logging subsystem is synchronous this behavior can be triggered repeatedly to produce an extremely high volume of log output. All versions prior to 6.5.0 are affected, and the parser is enabled by default.
An unauthenticated remote attacker can send specially crafted multipart/form-data requests that repeatedly trigger the error-logging path, resulting in a denial-of-service condition that exhausts system resources through excessive synchronous logging. The attack requires no user interaction and can be mounted over the network with low complexity.
Advisories and the associated patch recommend upgrading to Tornado 6.5.0. As a temporary workaround, operators can block requests containing the Content-Type header multipart/form-data at a reverse proxy or load balancer. The EPSS score has remained flat at a low value since disclosure, indicating no observed surge in exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-15444
Vulnerability details
Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high…
more
volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous. All versions of Tornado prior to 6.5.0 are affected. The vulnerable parser is enabled by default. Upgrade to Tornado version 6.50 to receive a patch. As a workaround, risk can be mitigated by blocking `Content-Type: multipart/form-data` in a proxy.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
This control implements explicit throttling on session allocation, addressing the weakness of allocating resources without limits.
Plan testing exercises resource allocation limits and throttling during simulated failures, directly addressing weaknesses that allow unbounded resource use.
Contingency plan updates ensure recovery strategies address unbounded resource allocation, making it harder for attackers to exploit lack of throttling to cause prolonged outages.
Provides continuity when unbounded resource allocation at the primary site leads to exhaustion and downtime.
Alternate services allow operations to continue when primary allocation of resources lacks limits or throttling.
Explicit planning of security-related actions requires defining limits, windows, and resource allocations, making allocation without throttling far less likely.
Measures of performance include tracking allocation behavior and throttling effectiveness, reducing the window for resource exhaustion attacks.
Imposes an inactivity-based limit on network resource allocation, throttling the number of concurrently held connections.