Description
Mesop is a Python-based UI framework that allows users to build web applications. From version 1.2.3 to before version 1.2.5, an uncontrolled resource consumption vulnerability exists in the WebSocket implementation of the Mesop framework. An unauthenticated attacker can send a rapid succession of WebSocket messages, forcing the server to spawn an unbounded number of operating system threads. This leads to thread exhaustion and Out of Memory (OOM) errors, causing a complete Denial of Service (DoS) for any application built on the framework. This issue has been patched in version 1.2.5.
Published: 2026-04-03
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via unbounded thread creation
Action: Immediate Patch
AI Analysis

Impact

An unauthenticated attacker can send a rapid succession of WebSocket messages to the Mesop framework, causing the server to spawn an unbounded number of operating system threads. This uncontrolled resource consumption leads to thread exhaustion and out‑of‑memory errors, resulting in a complete denial of service for any application built on the framework. The weakness is consistent with CWE‑125 and CWE‑770.

Affected Systems

The vulnerability affects the Mesop framework, released under the mesop‑dev:mesop product name. Versions from 1.2.3 up to, but not including, 1.2.5 are vulnerable. Applications built with these versions and deployed on any Python runtime are at risk until the issue is patched to 1.2.5 or later.

Risk and Exploitability

This issue carries a CVSS score of 7.5, which represents a high impact. The EPSS score is reported as less than 1 %, indicating a low current likelihood of exploitation. It is not listed in the CISA KEV catalog. The vulnerability can be exploited by an unauthenticated attacker over the network by transmitting a rapid stream of WebSocket messages, requiring no prior access or privileged credentials.

Generated by OpenCVE AI on April 13, 2026 at 19:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Mesop 1.2.5 patch or later.
  • If patching is delayed, limit the rate of incoming WebSocket messages by implementing connection throttling.
  • Configure the server to cap the maximum number of concurrent threads or use a thread‑pool with a predefined upper bound.
  • Monitor thread usage and memory consumption for signs of exhaustion, and set alerts for sudden spikes.
  • Review and log WebSocket activity to detect anomalous patterns for future investigation.

Generated by OpenCVE AI on April 13, 2026 at 19:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3jr7-6hqp-x679 Mesop: Unbounded Thread Creation in WebSocket Handler Leads to Denial of Service
History

Mon, 13 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
CPEs cpe:2.3:a:mesop-dev:mesop:*:*:*:*:*:python:*:*

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Mesop-dev
Mesop-dev mesop
Vendors & Products Mesop-dev
Mesop-dev mesop

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Description Mesop is a Python-based UI framework that allows users to build web applications. From version 1.2.3 to before version 1.2.5, an uncontrolled resource consumption vulnerability exists in the WebSocket implementation of the Mesop framework. An unauthenticated attacker can send a rapid succession of WebSocket messages, forcing the server to spawn an unbounded number of operating system threads. This leads to thread exhaustion and Out of Memory (OOM) errors, causing a complete Denial of Service (DoS) for any application built on the framework. This issue has been patched in version 1.2.5.
Title Mesop: Unbounded Thread Creation in WebSocket Handler Leads to Denial of Service
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Mesop-dev Mesop
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-06T15:42:06.793Z

Reserved: 2026-03-30T20:52:53.283Z

Link: CVE-2026-34824

cve-icon Vulnrichment

Updated: 2026-04-06T15:36:29.638Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T23:17:05.213

Modified: 2026-04-13T17:28:47.427

Link: CVE-2026-34824

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:41:32Z

Weaknesses