Amazon Linux 2 Security Advisory: ALAS2-2025-2889
Advisory Released Date: 2025-06-12
Advisory Updated Date: 2025-06-12
Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous. All versions of Tornado prior to 6.5.0 are affected. The vulnerable parser is enabled by default. Upgrade to Tornado version 6.50 to receive a patch. As a workaround, risk can be mitigated by blocking `Content-Type: multipart/form-data` in a proxy. (CVE-2025-47287)
Affected Packages:
python3-tornado
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update python3-tornado to update your system.
aarch64:
python3-tornado-5.0.2-4.amzn2.0.5.aarch64
python3-tornado-doc-5.0.2-4.amzn2.0.5.aarch64
python3-tornado-debuginfo-5.0.2-4.amzn2.0.5.aarch64
i686:
python3-tornado-5.0.2-4.amzn2.0.5.i686
python3-tornado-doc-5.0.2-4.amzn2.0.5.i686
python3-tornado-debuginfo-5.0.2-4.amzn2.0.5.i686
src:
python3-tornado-5.0.2-4.amzn2.0.5.src
x86_64:
python3-tornado-5.0.2-4.amzn2.0.5.x86_64
python3-tornado-doc-5.0.2-4.amzn2.0.5.x86_64
python3-tornado-debuginfo-5.0.2-4.amzn2.0.5.x86_64