Tubadeligoz

Name of the Vulnerable Software and Affected Versions Mesop versions 1.2.3 through 1.2.5 Description Mesop, a Python-based UI framework, contains an uncontrolled resource consumption issue in its WebSocket implementation. An unauthenticated attacker can send a rapid succession of WebSocket messages, causing the server to spawn an unbounded number of operating system threads. This leads to thread exhaustion and Out of Memory (OOM) errors, resulting in a Denial of Service (DoS). The vulnerability exists due to the lack of thread pool, message queue, or rate-limiting mechanisms in the `handle websocket` function within `mesop/server/server.py`. The function spawns a new `threading.Thread` for each incoming WebSocket message without any restrictions. A proof-of-concept (PoC) demonstrates that flooding the WebSocket endpoint with a minimal valid base64 payload can quickly exhaust server resources and crash the application. The vulnerability is classified as a Denial of Service (DoS) with a high severity, as an attacker can easily crash the application with minimal bandwidth. Recommendations Versions 1.2.3 through 1.2.5 are affected. Upgrade to version 1.2.5 to resolve the issue.