From 6de244e6827b65e14c6c1f09773a9d6c7869c941 Mon Sep 17 00:00:00 2001 From: Dxsk <43427519+dxsk@users.noreply.github.com> Date: Mon, 15 Jun 2026 15:25:27 +0200 Subject: [PATCH] fix(mitmproxy): mitigate CVE-2026-49854 via TORNADO_EXTENSION=0 --- .trivyignore | 6 ++++++ mitmproxy/Dockerfile | 7 +++++++ 2 files changed, 13 insertions(+) create mode 100644 .trivyignore diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 0000000..8939007 --- /dev/null +++ b/.trivyignore @@ -0,0 +1,6 @@ +# CVE-2026-49854 — tornado <=6.5.5 OOB read in the websocket_mask C extension (LOW). +# tornado is a transitive dependency of mitmproxy, which caps tornado<=6.5.5; +# the fix (6.5.6) cannot be installed without breaking mitmproxy. Mitigated at +# runtime via TORNADO_EXTENSION=0 in mitmproxy/Dockerfile (forces the pure-Python +# path). Remove this entry once mitmproxy allows tornado>=6.5.6. +CVE-2026-49854 diff --git a/mitmproxy/Dockerfile b/mitmproxy/Dockerfile index f4ebc61..8f64300 100644 --- a/mitmproxy/Dockerfile +++ b/mitmproxy/Dockerfile @@ -11,6 +11,13 @@ RUN useradd -m -s /bin/sh mitmproxy && \ ENV HOME=/home/mitmproxy +# CVE-2026-49854: mitmproxy caps tornado<=6.5.5, but the OOB-read fix is in +# 6.5.6, so it cannot be installed without breaking mitmproxy's dependency +# constraint. Force tornado's pure-Python websocket_mask (tornado.util reads +# this var at import time) to avoid the vulnerable C extension. Drop this once +# mitmproxy allows tornado>=6.5.6. +ENV TORNADO_EXTENSION=0 + COPY entrypoint.sh /entrypoint.sh RUN chmod +x /entrypoint.sh