LOW 3.7

GHSA-cx3h-4qpv-8hc9

Tornado has out-of-bounds memory access via C extension

Details

### Summary

Tornado's optional native extension `tornado.speedups` implements `websocket_mask` without validating that the `mask` argument is exactly four bytes long. The C function reads four bytes from `mask` unconditionally, even when Python passes a shorter byte string. This can read beyond the provided buffer, exposing up to 3 bytes of uninitialized memory.

The behavior is reachable from Tornado's XSRF token decoder when `xsrf_cookies=True` and the native extension is active.

### Mitigations

This bug is fixed in Tornado 6.5.6. Prior to upgrading to this version, setting the environment variable TORNADO_EXTENSION=0 will disable the vulnerable code (at the expense of reducing websocket performance).

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / tornado

Introduced in: 0 Fixed in: 6.5.6

Fix pip install --upgrade 'tornado>=6.5.6'

References

https://github.com/tornadoweb/tornado/security/advisories/GHSA-cx3h-4qpv-8hc9 [WEB]
https://github.com/tornadoweb/tornado [PACKAGE]
https://github.com/tornadoweb/tornado/releases/tag/v6.5.6 [WEB]