CVE-2026-34824: Uncontrolled Thread Spawning Denial of Service in Mesop WebSockets
Vulnerability ID: CVE-2026-34824
CVSS Score: 7.5
Published: 2026-04-03
CVE-2026-34824 is a high-severity denial-of-service vulnerability in the Mesop Python UI framework. Versions 1.2.3 and 1.2.4 fail to implement resource constraints within the WebSocket message handler, allowing unauthenticated remote attackers to trigger unbounded OS thread creation and cause complete system availability loss.
TL;DR
Unauthenticated attackers can crash Mesop applications by sending rapid WebSocket messages, causing operating system thread exhaustion. The vulnerability is fixed in version 1.2.5 via the introduction of bounded semaphores and a thread pool executor.
⚠️ Exploit Status: POC
Technical Details
- Primary CWE: CWE-400 (Uncontrolled Resource Consumption)
- Attack Vector: Network
- CVSS v3.1 Base Score: 7.5 (High)
- Impact: High Availability Loss (DoS)
- Exploit Status: PoC Available
- CISA KEV: Not Listed
Affected Systems
- Mesop Python UI framework >= 1.2.3, < 1.2.5
-
Mesop: >= 1.2.3, < 1.2.5 (Fixed in:
1.2.5)
Code Analysis
Commit: 760a207
Introduces ThreadPoolExecutor and BoundedSemaphore to limit concurrent WebSocket tasks
Mitigation Strategies
- Upgrade Mesop to version 1.2.5
- Implement rate limiting for WebSocket connections at the reverse proxy/WAF
- Restrict concurrent WebSocket connections per IP address
Remediation Steps:
- Identify all internal deployments utilizing the Mesop Python framework.
- Update package dependencies in requirements.txt to specify mesop>=1.2.5.
- Rebuild and redeploy affected application containers or virtual environments.
- Restart the application services.
- Verify the version upgrade via dependency audits or logs.
References
- GitHub Security Advisory GHSA-3jr7-6hqp-x679
- Mesop Official Fix Commit
- CVE Record CVE-2026-34824
- OSV Vulnerability Record
Read the full report for CVE-2026-34824 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)