CVE-2025-47287 is a high-severity vulnerability affecting Tornado, a popular Python web framework and asynchronous networking library widely used for building scalable web applications. The vulnerability arises from the way Tornado's multipart/form-data parser handles malformed or erroneous input. Specifically, when the parser encounters certain errors in multipart/form-data payloads, it logs warnings but continues to parse the remaining data instead of halting or properly limiting resource consumption. This behavior allows a remote attacker to send specially crafted HTTP requests with multipart/form-data content that trigger excessive logging activity. Because Tornado's logging subsystem is synchronous, this results in a significant consumption of CPU and I/O resources, effectively causing a denial-of-service (DoS) condition by overwhelming the server's processing capacity. All Tornado versions prior to 6.5.0 are vulnerable, and the multipart/form-data parser is enabled by default, increasing the attack surface. The vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling), highlighting the lack of safeguards against resource exhaustion. The CVSS v3.1 score is 7.5 (high), reflecting the network attack vector, low attack complexity, no privileges or user interaction required, and a high impact on availability. No known exploits are currently in the wild, but the potential for DoS attacks is significant. The recommended remediation is to upgrade to Tornado version 6.5.0 or later, where the issue is patched. As an interim mitigation, blocking HTTP requests with Content-Type: multipart/form-data at a proxy or firewall can reduce exposure to this attack vector.

For European organizations, this vulnerability poses a substantial risk to the availability of web services built on Tornado versions prior to 6.5.0. Many enterprises, government agencies, and service providers in Europe rely on Python-based web frameworks for internal and customer-facing applications. An attacker exploiting this vulnerability can cause service outages by flooding the server with malicious multipart/form-data requests, leading to degraded performance or complete denial of service. This can disrupt business operations, erode customer trust, and potentially violate regulatory requirements related to service availability and incident response under frameworks like GDPR and NIS Directive. The synchronous logging exacerbates the impact by amplifying resource consumption, making mitigation more urgent. Additionally, organizations with public-facing APIs or web portals that accept file uploads or form submissions using multipart/form-data are particularly at risk. The vulnerability does not affect confidentiality or integrity directly but can be leveraged as part of a broader attack campaign to disrupt critical services.

1. Immediate upgrade to Tornado version 6.5.0 or later is the most effective mitigation, as this version contains the patch that properly limits resource allocation and logging behavior during multipart/form-data parsing errors. 2. Deploy web application firewalls (WAFs) or reverse proxies configured to block or rate-limit HTTP requests with Content-Type: multipart/form-data, especially from untrusted or anonymous sources, to reduce exposure to malicious payloads. 3. Implement rate limiting and anomaly detection on endpoints that accept multipart/form-data to detect and block abnormal request patterns indicative of DoS attempts. 4. Review and harden logging configurations to use asynchronous logging mechanisms where possible, reducing the risk that logging itself becomes a bottleneck or attack vector. 5. Conduct thorough testing of multipart/form-data handling in staging environments to identify and remediate any custom code or third-party components that may exacerbate resource exhaustion. 6. Monitor application and infrastructure logs for unusual spikes in multipart/form-data requests or logging activity, enabling early detection of exploitation attempts. 7. Educate development and operations teams about this vulnerability and ensure timely patch management practices are in place for all Tornado-based applications.