OESA-2025-2580

See a problem?
Please try reporting it to the source first.
Source
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-2580
Import Source
https://repo.openeuler.org/security/data/osv/OESA-2025-2580.json
JSON Data
https://api.test.osv.dev/v1/vulns/OESA-2025-2580
Upstream
Published
2025-10-31T14:13:21Z
Modified
2025-10-31T21:05:36.285245Z
Summary
python-tornado security update
Details

Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. By using non-blocking network I/O, Tornado can scale to tens of thousands of open connections, making it ideal for long polling, WebSockets, and other applications that require a long-lived connection to each user.

Security Fix(es):

Tornado is a Python web framework and asynchronous networking library. When Tornado's multipart/form-data parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous. All versions of Tornado prior to 6.5.0 are affected. The vulnerable parser is enabled by default. Upgrade to Tornado version 6.50 to receive a patch. As a workaround, risk can be mitigated by blocking Content-Type: multipart/form-data in a proxy.(CVE-2025-47287)

Database specific 
{
    "severity": "High"
}
References

Affected packages

openEuler:20.03-LTS-SP4 / python-tornado

Package

Name
python-tornado
Purl
pkg:rpm/openEuler/python-tornado&distro=openEuler-20.03-LTS-SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.0.2-10.oe2003sp4

Ecosystem specific 

{
    "aarch64": [
        "python-tornado-debuginfo-5.0.2-10.oe2003sp4.aarch64.rpm",
        "python-tornado-debugsource-5.0.2-10.oe2003sp4.aarch64.rpm",
        "python2-tornado-5.0.2-10.oe2003sp4.aarch64.rpm",
        "python3-tornado-5.0.2-10.oe2003sp4.aarch64.rpm"
    ],
    "src": [
        "python-tornado-5.0.2-10.oe2003sp4.src.rpm"
    ],
    "x86_64": [
        "python-tornado-debuginfo-5.0.2-10.oe2003sp4.x86_64.rpm",
        "python-tornado-debugsource-5.0.2-10.oe2003sp4.x86_64.rpm",
        "python2-tornado-5.0.2-10.oe2003sp4.x86_64.rpm",
        "python3-tornado-5.0.2-10.oe2003sp4.x86_64.rpm"
    ]
}