Bug 2366703 (CVE-2025-47287) - CVE-2025-47287 tornado: Tornado Multipart Form-Data Denial of Service
Summary: CVE-2025-47287 tornado: Tornado Multipart Form-Data Denial of Service
Keywords:
Status: NEW
Alias: CVE-2025-47287
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2366780 2366781 2366782 2366783 2366785 2366786 2366784
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-05-15 22:01 UTC by OSIDB Bzimport
Modified: 2025-05-29 16:40 UTC (History)
11 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2025:8135 0 None None None 2025-05-26 09:41:00 UTC
Red Hat Product Errata RHSA-2025:8136 0 None None None 2025-05-26 10:06:00 UTC
Red Hat Product Errata RHSA-2025:8223 0 None None None 2025-05-27 16:50:15 UTC
Red Hat Product Errata RHSA-2025:8226 0 None None None 2025-05-27 17:46:39 UTC
Red Hat Product Errata RHSA-2025:8254 0 None None None 2025-05-28 10:41:14 UTC
Red Hat Product Errata RHSA-2025:8279 0 None None None 2025-05-28 23:35:45 UTC
Red Hat Product Errata RHSA-2025:8290 0 None None None 2025-05-29 06:26:44 UTC
Red Hat Product Errata RHSA-2025:8291 0 None None None 2025-05-29 06:26:52 UTC
Red Hat Product Errata RHSA-2025:8323 0 None None None 2025-05-29 16:40:35 UTC

Description OSIDB Bzimport 2025-05-15 22:01:12 UTC 
Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous. All versions of Tornado prior to 6.5.0 are affected. The vulnerable parser is enabled by default. Upgrade to Tornado version 6.50 to receive a patch. As a workaround, risk can be mitigated by blocking `Content-Type: multipart/form-data` in a proxy.
Comment 3 errata-xmlrpc 2025-05-26 09:40:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:8135 https://access.redhat.com/errata/RHSA-2025:8135
Comment 4 errata-xmlrpc 2025-05-26 10:05:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:8136 https://access.redhat.com/errata/RHSA-2025:8136
Comment 5 errata-xmlrpc 2025-05-27 16:50:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:8223 https://access.redhat.com/errata/RHSA-2025:8223
Comment 6 errata-xmlrpc 2025-05-27 17:46:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2025:8226 https://access.redhat.com/errata/RHSA-2025:8226
Comment 7 errata-xmlrpc 2025-05-28 10:41:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:8254 https://access.redhat.com/errata/RHSA-2025:8254
Comment 8 errata-xmlrpc 2025-05-28 23:35:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2025:8279 https://access.redhat.com/errata/RHSA-2025:8279
Comment 9 errata-xmlrpc 2025-05-29 06:26:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2025:8290 https://access.redhat.com/errata/RHSA-2025:8290
Comment 10 errata-xmlrpc 2025-05-29 06:26:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:8291 https://access.redhat.com/errata/RHSA-2025:8291
Comment 11 errata-xmlrpc 2025-05-29 16:40:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2025:8323 https://access.redhat.com/errata/RHSA-2025:8323
Note You need to log in before you can comment on or make changes to this bug.