vulnerability
Amazon Linux 2023: CVE-2025-47287: Medium priority package update for python-tornado
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 8 | (AV:N/AC:L/Au:N/C:N/I:N/A:C) | May 15, 2025 | Jun 11, 2025 | Jul 17, 2025 |
Severity
8
CVSS
(AV:N/AC:L/Au:N/C:N/I:N/A:C)
Published
May 15, 2025
Added
Jun 11, 2025
Modified
Jul 17, 2025
Description
Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous. All versions of Tornado prior to 6.5.0 are affected. The vulnerable parser is enabled by default. Upgrade to Tornado version 6.50 to receive a patch. As a workaround, risk can be mitigated by blocking `Content-Type: multipart/form-data` in a proxy.
A flaw was found in Tornado. This vulnerability can lead to a a denial of service by generating an extremely high volume of log entries.
A flaw was found in Tornado. This vulnerability can lead to a a denial of service by generating an extremely high volume of log entries.
Solutions
amazon-linux-2023-upgrade-python3-tornadoamazon-linux-2023-upgrade-python3-tornado-debuginfoamazon-linux-2023-upgrade-python-tornado-debugsourceamazon-linux-2023-upgrade-python-tornado-doc
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.