Is tornado affected by CVE-2025-47287?

PyPI tornado is affected in <6.5.

Is CVE-2025-47287 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.6%.

high

CVE-2025-47287

Q: Is CVE-2025-47287 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.6%.

PyPI · tornado

Summary

Tornado vulnerable to excessive logging caused by malformed multipart form data

Severity: high
EPSS: 0.6% (p46)
Also known as: GHSA-7cx3-6m66-7c5m
Published: 2025-05-16

References

https://github.com/tornadoweb/tornado/security/advisories/GHSA-7cx3-6m66-7c5m
https://nvd.nist.gov/vuln/detail/CVE-2025-47287
https://github.com/tornadoweb/tornado/commit/b39b892bf78fe8fea01dd45199aa88307e7162f3

Related advisories

CVE-2026-49853 — high · PyPI/tornado
CVE-2026-49855 — high · PyPI/tornado
CVE-2026-35536 — high · PyPI/tornado
CVE-2026-31958 — high · PyPI/tornado
GHSA-pw6j-qg29-8w7f — medium · PyPI/tornado
GHSA-78cv-mqj4-43f7 — medium · PyPI/tornado

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Check my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.