Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .trivyignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
# CVE-2026-49854 — tornado <=6.5.5 OOB read in the websocket_mask C extension (LOW).
# tornado is a transitive dependency of mitmproxy, which caps tornado<=6.5.5;
# the fix (6.5.6) cannot be installed without breaking mitmproxy. Mitigated at
# runtime via TORNADO_EXTENSION=0 in mitmproxy/Dockerfile (forces the pure-Python
# path). Remove this entry once mitmproxy allows tornado>=6.5.6.
CVE-2026-49854
7 changes: 7 additions & 0 deletions mitmproxy/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,13 @@ RUN useradd -m -s /bin/sh mitmproxy && \

ENV HOME=/home/mitmproxy

# CVE-2026-49854: mitmproxy caps tornado<=6.5.5, but the OOB-read fix is in
# 6.5.6, so it cannot be installed without breaking mitmproxy's dependency
# constraint. Force tornado's pure-Python websocket_mask (tornado.util reads
# this var at import time) to avoid the vulnerable C extension. Drop this once
# mitmproxy allows tornado>=6.5.6.
ENV TORNADO_EXTENSION=0

COPY entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh

Expand Down
Loading