Skip to content

chore(deps): update dependency tornado to v6.5.6 [security] - autoclosed#673

Closed
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/pypi-tornado-vulnerability
Closed

chore(deps): update dependency tornado to v6.5.6 [security] - autoclosed#673
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/pypi-tornado-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
tornado (source) 6.5.56.5.6 age confidence

Tornado has out-of-bounds memory access via C extension

CVE-2026-49854 / GHSA-cx3h-4qpv-8hc9

More information

Details

Summary

Tornado's optional native extension tornado.speedups implements websocket_mask without validating that the mask argument is exactly four bytes long. The C function reads four bytes from mask unconditionally, even when Python passes a shorter byte string. This can read beyond the provided buffer, exposing up to 3 bytes of uninitialized memory.

The behavior is reachable from Tornado's XSRF token decoder when xsrf_cookies=True and the native extension is active.

Mitigations

This bug is fixed in Tornado 6.5.6. Prior to upgrading to this version, setting the environment variable TORNADO_EXTENSION=0 will disable the vulnerable code (at the expense of reducing websocket performance).

Severity

  • CVSS Score: 3.7 / 10 (Low)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

tornadoweb/tornado (tornado)

v6.5.6

Compare Source

Configuration

📅 Schedule: (in timezone Europe/Berlin)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot requested a review from a team as a code owner June 12, 2026 23:04
@renovate renovate Bot added bot Automated pull requests or issues dependencies Pull requests that update a dependency file renovate Pull requests from Renovate skip:codecov Skip Codecov reporting and check skip:test:long_running Skip long-running tests (≥5min) labels Jun 12, 2026
@renovate renovate Bot enabled auto-merge (squash) June 12, 2026 23:04
@sonarqubecloud

sonarqubecloud Bot commented Jun 12, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@renovate renovate Bot changed the title chore(deps): update dependency tornado to v6.5.6 [security] chore(deps): update dependency tornado to v6.5.6 [security] - autoclosed Jun 15, 2026
@renovate renovate Bot closed this Jun 15, 2026
auto-merge was automatically disabled June 15, 2026 06:12

Pull request was closed

@renovate renovate Bot deleted the renovate/pypi-tornado-vulnerability branch June 15, 2026 06:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bot Automated pull requests or issues dependencies Pull requests that update a dependency file renovate Pull requests from Renovate skip:codecov Skip Codecov reporting and check skip:test:long_running Skip long-running tests (≥5min)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants