Source: python-tornado Version: 6.4.2-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for python-tornado. CVE-2025-47287[0]: | Tornado is a Python web framework and asynchronous networking | library. When Tornado's ``multipart/form-data`` parser encounters | certain errors, it logs a warning but continues trying to parse the | remainder of the data. This allows remote attackers to generate an | extremely high volume of logs, constituting a DoS attack. This DoS | is compounded by the fact that the logging subsystem is synchronous. | All versions of Tornado prior to 6.5.0 are affected. The vulnerable | parser is enabled by default. Upgrade to Tornado version 6.50 to | receive a patch. As a workaround, risk can be mitigated by blocking | `Content-Type: multipart/form-data` in a proxy. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-47287 https://www.cve.org/CVERecord?id=CVE-2025-47287 [1] https://github.com/tornadoweb/tornado/security/advisories/GHSA-7cx3-6m66-7c5m [2] https://github.com/tornadoweb/tornado/commit/b39b892bf78fe8fea01dd45199aa88307e7162f3 Please adjust the affected versions in the BTS as needed, all versions before 6.5.0 should be affected. Regards, Salvatore
