Tornado Web Framework Patches Critical DoS Vulnerability in Multipart Parser (CVE-2025-47287)

A critical vulnerability in the Tornado web framework's multipart data parser has been patched, exposing countless Python web applications to a potent denial-of-service (DoS) attack vector. The flaw, tracked as CVE-2025-47287, allows remote attackers to trigger an extremely high volume of synchronous log messages, potentially crippling server performance and availability. This security update, moving from version 6.4.2 to 6.5.5, addresses a fundamental weakness where the parser logs warnings but continues processing after encountering certain errors, creating a perfect storm for resource exhaustion.

The vulnerability resides in Tornado's handling of `multipart/form-data`—a common method for file uploads and form submissions. When the parser encounters specific malformed data, it logs a warning but does not halt. This behavior, combined with the framework's synchronous logging subsystem, allows an attacker to flood the server with malicious requests. Each request forces the server to generate a high-volume log entry while still consuming CPU cycles to parse the remaining data, leading to rapid resource depletion and service degradation.

This patch is a mandatory update for any production system using Tornado, a foundational asynchronous web framework and networking library for Python. The risk is particularly acute for high-traffic services, APIs, and applications that accept user uploads. System administrators and DevOps teams must prioritize applying this update, as the exploit requires no authentication and can be executed remotely. The silent, logging-based nature of the attack could allow it to fly under the radar of traditional intrusion detection systems until performance catastrophically degrades.