| Package | python-tornado |
|---|---|
| Version | 5.1.1-4+deb10u2 (buster) |
| Related CVEs | CVE-2025-47287 |
A vulnerability was discovered in python-tornado, a scalable, non-blocking Python web framework and asynchronous networking library.
CVE-2025-47287
When Tornado's 'multipart/form-data' parser encounters certain errors,
it logs a warning but continues trying to parse the remainder of the
data. This allows remote attackers to generate an extremely high volume
of logs, constituting a DoS attack. This DoS is compounded by the fact
that the logging subsystem is synchronous.
For Debian 10 buster, these problems have been fixed in version 5.1.1-4+deb10u2.
We recommend that you upgrade your python-tornado packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.