An uncontrolled resource consumption vulnerability exists in the WebSocket implementation of the Mesop framework. An unauthenticated attacker can send a rapid succession of WebSocket messages, forcing the server to spawn an unbounded number of operating system threads. This leads to thread exhaustion and Out of Memory (OOM) errors, causing a complete Denial of Service (DoS) for any application built on the framework.
The vulnerability stems from an architectural flaw in how incoming WebSocket messages are processed. In the mesop/server/server.py file, the handle_websocket function listens for incoming messages and immediately spawns a new threading.Thread for every successfully parsed ui_request.
There is no thread pool, message queue, or rate-limiting mechanism implemented to restrict the number of concurrent threads spawned per connection.
Vulnerable code snippet in mesop/server/server.py:
while True:
message = ws.receive()
if not message:
continue
# ... message parsing logic ...
# VULNERABILITY: Spawning a new thread for every single message without limits
thread = threading.Thread(
target=copy_current_request_context(ws_generate_data),
args=(ws, ui_request),
daemon=True,
)
thread.start()
To reproduce this vulnerability, you only need a running instance of a Mesop application and a basic Python script to flood the WebSocket endpoint.
Prerequisites:
Python environment with the websocket-client library installed (pip install websocket-client).
A target Mesop application running locally (e.g., http://localhost:8080).
Steps to reproduce:
Start the target Mesop application.
Save the following script as exploit_dos.py.
Run the script: python exploit_dos.py. Watch the server's resource monitor; memory and thread counts will spike rapidly until the process crashes.
import websocket
import base64
# Replace with the target Mesop...
1.2.5Exploitability
AV:NAC:LPR:NUI:NScope
S:UImpact
C:NI:NA:H7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H