GHSA-cx3h-4qpv-8hc9

Tornado's optional native extension tornado.speedups implements websocket_mask without validating that the mask argument is exactly four bytes long. The C function reads four bytes from mask unconditionally, even when Python passes a shorter byte string. This can read beyond the provided buffer, exposing up to 3 bytes of uninitialized memory.

The behavior is reachable from Tornado's XSRF token decoder when xsrf_cookies=True and the native extension is active.

Mitigations

This bug is fixed in Tornado 6.5.6. Prior to upgrading to this version, setting the environment variable TORNADO_EXTENSION=0 will disable the vulnerable code (at the expense of reducing websocket performance).

Database specific

{
    "nvd_published_at": null,
    "github_reviewed_at": "2026-06-12T18:30:19Z",
    "github_reviewed": true,
    "severity": "LOW",
    "cwe_ids": [
        "CWE-126"
    ]
}

References

Affected packages

PyPI / tornado

Package

Name: tornado; View open source insights on deps.dev
Purl: pkg:pypi/tornado

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.5.6

Affected versions

0.*

0.2

1.*

1.0

1.1

1.1.1

1.2

1.2.1

2.*

2.0

2.1

2.1.1

2.2

2.2.1

2.3

2.4

2.4.1

3.*

3.0

3.0.1

3.0.2

3.1

3.1.1

3.2

3.2.1

3.2.2

4.*

4.0

4.0.1

4.0.2

4.1b2

4.1

4.2b1

4.2

4.2.1

4.3b1

4.3b2

4.3

4.4b1

4.4

4.4.1

4.4.2

4.4.3

4.5b1

4.5b2

4.5

4.5.1

4.5.2

4.5.3

5.*

5.0a1

5.0b1

5.0

5.0.1

5.0.2

5.1b1

5.1

5.1.1

6.*

6.0a1

6.0b1

6.0

6.0.1

6.0.2

6.0.3

6.0.4

6.1b1

6.1b2

6.1

6.2b1

6.2b2

6.2

6.3b1

6.3

6.3.1

6.3.2

6.3.3

6.4b1

6.4

6.4.1

6.4.2

6.5b1

6.5

6.5.1

6.5.2

6.5.3

6.5.4

6.5.5

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-cx3h-4qpv-8hc9/GHSA-cx3h-4qpv-8hc9.json"