CVE-2025-47287: 
Python vulnerability analysis and mitigation

Tornado, a Python web framework and asynchronous networking library, is affected by a vulnerability (CVE-2025-47287) discovered and disclosed on May 15, 2025. The vulnerability exists in the multipart/form-data parser when encountering certain errors, where it logs a warning but continues parsing the remainder of the data. This affects all versions of Tornado prior to 6.5.0, with the vulnerable parser being enabled by default (GitHub Advisory, NVD).

The vulnerability stems from the multipart/form-data parser's behavior when encountering errors. Instead of properly handling error conditions, the parser continues processing while generating warning logs. The issue has been assigned a CVSS v3.1 score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability is classified as CWE-770 (Allocation of Resources Without Limits or Throttling). The issue is particularly severe because the logging subsystem operates synchronously, amplifying the impact of the attack (GitHub Advisory, NVD).

The vulnerability allows remote attackers to generate an extremely high volume of logs, resulting in a Denial of Service (DoS) attack. The synchronous nature of the logging subsystem compounds the DoS impact. The attack can affect system availability without requiring any special privileges or user interaction (GitHub Advisory, Wiz).

The primary mitigation is to upgrade to Tornado version 6.5.0 or later, which contains the patch for this vulnerability. As a temporary workaround, organizations can mitigate the risk by blocking Content-Type: multipart/form-data in a proxy. This prevents the exploitation of the vulnerable parser while waiting for the upgrade (GitHub Advisory, NVD).