{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34824", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T20:52:53.283Z", "datePublished": "2026-04-03T22:41:34.828Z", "dateUpdated": "2026-04-06T15:42:06.793Z"}, "containers": {"cna": {"title": "Mesop: Unbounded Thread Creation in WebSocket Handler Leads to Denial of Service", "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "lang": "en", "description": "CWE-125: Out-of-bounds Read", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/mesop-dev/mesop/security/advisories/GHSA-3jr7-6hqp-x679", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/mesop-dev/mesop/security/advisories/GHSA-3jr7-6hqp-x679"}, {"name": "https://github.com/mesop-dev/mesop/commit/760a2079b5c609038c826d24dfbcf9b0be98d987", "tags": ["x_refsource_MISC"], "url": "https://github.com/mesop-dev/mesop/commit/760a2079b5c609038c826d24dfbcf9b0be98d987"}, {"name": "https://github.com/mesop-dev/mesop/releases/tag/v1.2.5", "tags": ["x_refsource_MISC"], "url": "https://github.com/mesop-dev/mesop/releases/tag/v1.2.5"}], "affected": [{"vendor": "mesop-dev", "product": "mesop", "versions": [{"version": ">= 1.2.3, < 1.2.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T22:41:34.828Z"}, "descriptions": [{"lang": "en", "value": "Mesop is a Python-based UI framework that allows users to build web applications. From version 1.2.3 to before version 1.2.5, an uncontrolled resource consumption vulnerability exists in the WebSocket implementation of the Mesop framework. An unauthenticated attacker can send a rapid succession of WebSocket messages, forcing the server to spawn an unbounded number of operating system threads. This leads to thread exhaustion and Out of Memory (OOM) errors, causing a complete Denial of Service (DoS) for any application built on the framework. This issue has been patched in version 1.2.5."}], "source": {"advisory": "GHSA-3jr7-6hqp-x679", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/mesop-dev/mesop/security/advisories/GHSA-3jr7-6hqp-x679", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T15:36:21.198461Z", "id": "CVE-2026-34824", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T15:42:06.793Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34824", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-06T15:36:21.198461Z"}}}], "references": [{"url": "https://github.com/mesop-dev/mesop/security/advisories/GHSA-3jr7-6hqp-x679", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T15:36:29.638Z"}}], "cna": {"title": "Mesop: Unbounded Thread Creation in WebSocket Handler Leads to Denial of Service", "source": {"advisory": "GHSA-3jr7-6hqp-x679", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "mesop-dev", "product": "mesop", "versions": [{"status": "affected", "version": ">= 1.2.3, < 1.2.5"}]}], "references": [{"url": "https://github.com/mesop-dev/mesop/security/advisories/GHSA-3jr7-6hqp-x679", "name": "https://github.com/mesop-dev/mesop/security/advisories/GHSA-3jr7-6hqp-x679", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/mesop-dev/mesop/commit/760a2079b5c609038c826d24dfbcf9b0be98d987", "name": "https://github.com/mesop-dev/mesop/commit/760a2079b5c609038c826d24dfbcf9b0be98d987", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/mesop-dev/mesop/releases/tag/v1.2.5", "name": "https://github.com/mesop-dev/mesop/releases/tag/v1.2.5", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Mesop is a Python-based UI framework that allows users to build web applications. From version 1.2.3 to before version 1.2.5, an uncontrolled resource consumption vulnerability exists in the WebSocket implementation of the Mesop framework. An unauthenticated attacker can send a rapid succession of WebSocket messages, forcing the server to spawn an unbounded number of operating system threads. This leads to thread exhaustion and Out of Memory (OOM) errors, causing a complete Denial of Service (DoS) for any application built on the framework. This issue has been patched in version 1.2.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125: Out-of-bounds Read"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T22:41:34.828Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34824", "state": "PUBLISHED", "dateUpdated": "2026-04-06T15:42:06.793Z", "dateReserved": "2026-03-30T20:52:53.283Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-03T22:41:34.828Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Mesop is a Python-based UI framework that allows users to build web applications. From version 1.2.3 to before version 1.2.5, an uncontrolled resource consumption vulnerability exists in the WebSocket implementation of the Mesop framework. An unauthenticated attacker can send a rapid succession of WebSocket messages, forcing the server to spawn an unbounded number of operating system threads. This leads to thread exhaustion and Out of Memory (OOM) errors, causing a complete Denial of Service (DoS) for any application built on the framework. This issue has been patched in version 1.2.5."}], "id": "CVE-2026-34824", "lastModified": "2026-04-07T13:20:55.200", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-03T23:17:05.213", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/mesop-dev/mesop/commit/760a2079b5c609038c826d24dfbcf9b0be98d987"}, {"source": "security-advisories@github.com", "url": "https://github.com/mesop-dev/mesop/releases/tag/v1.2.5"}, {"source": "security-advisories@github.com", "url": "https://github.com/mesop-dev/mesop/security/advisories/GHSA-3jr7-6hqp-x679"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/mesop-dev/mesop/security/advisories/GHSA-3jr7-6hqp-x679"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.2.3,1.2.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "mesop", "source": "cna", "vendor": "mesop-dev"}, "product": "mesop", "vendor": "mesop-dev"}], "analysis": {"en": {"generated_at": "2026-04-04T01:50:53.087415+00:00", "value": {"mitigation_remediation": ["Upgrade Mesop to version 1.2.5 or later to apply the security fix", "If an upgrade cannot be performed immediately, limit or temporarily disable the WebSocket endpoint, and configure a thread\u2011creation quota to prevent resource exhaustion", "Monitor thread counts and memory usage for sudden spikes that may indicate an ongoing DoS attempt", "Restrict network access to the WebSocket endpoint to trusted hosts or IP ranges to reduce exposure"], "summary": {"action": "Patch ASAP", "impact": "Denial of Service via unbounded thread creation"}, "threat_synthesis": {"affected_systems": "All releases of the mesop-dev:mesop Python UI framework from version 1.2.3 up to, but not including, 1.2.5 are vulnerable. The vulnerability was fixed in version 1.2.5. Applications building web interfaces with Mesop that run any of the affected versions are at risk when the WebSocket endpoint is exposed.", "description_and_impact": "The Mesop framework\u2019s WebSocket handler creates a new operating system thread for each message it receives. Because the number of threads is not limited, an unauthenticated attacker can flood the endpoint with rapid messages, exhausting system resources, triggering out\u2011of\u2011memory errors, and bringing the entire application to a halt. This issue is recorded as CWE\u2011125, indicating the underlying flaw involves improper resource handling, resulting in a high\u2011impact service interruption.", "risk_and_exploitability": "The CVSS score of 7.5 reflects the high severity of this denial\u2011of\u2011service flaw. EPSS data is unavailable, and the vulnerability is not listed in the CISA KEV catalog. The attack requires no authentication, relies solely on access to the WebSocket interface, and can be launched remotely by any client that can reach the endpoint."}}}}, "created": "2026-04-06T21:22:02.500297+00:00", "updated": "2026-04-06T22:21:40.557405+00:00", "vendors": ["mesop-dev", "mesop-dev$PRODUCT$mesop"]}