Zero Day MonitorZDM

← Back to list

7.5

CVE-2026-34824PATCHED

pypa · mesop

Mesop: Unbounded Thread Creation in WebSocket Handler Leads to Denial of Service

Description

Mesop is a Python-based UI framework that allows users to build web applications. From version 1.2.3 to before version 1.2.5, an uncontrolled resource consumption vulnerability exists in the WebSocket implementation of the Mesop framework. An unauthenticated attacker can send a rapid succession of WebSocket messages, forcing the server to spawn an unbounded number of operating system threads. This leads to thread exhaustion and Out of Memory (OOM) errors, causing a complete Denial of Service (DoS) for any application built on the framework. This issue has been patched in version 1.2.5.

Affected Products

Vendor	Product	Versions
pypa	mesop	>= 1.2.3, < 1.2.5

References

https://github.com/mesop-dev/mesop/security/advisories/GHSA-3jr7-6hqp-x679(x_refsource_CONFIRM)
https://github.com/mesop-dev/mesop/commit/760a2079b5c609038c826d24dfbcf9b0be98d987(x_refsource_MISC)
https://github.com/mesop-dev/mesop/releases/tag/v1.2.5(x_refsource_MISC)

Related News (1 articles)

Tier C

VulDB5d ago

CVE-2026-34824 | mesop-dev mesop up to 1.2.4 WebSocket Message out-of-bounds (GHSA-3jr7-6hqp-x679)

→ No new info (linked only)

CVSS 3.17.5 HIGH

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA KEV❌ No

Actively exploited❌ No

Patch available

mesop@1.2.5

CWECWE-125

PublishedApr 3, 2026

Last enriched5d agov2

Tags

GHSA-3jr7-6hqp-x679pip

Trending Score23

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-39987EXPKEV

marimo Affected by Pre-Auth Remote Code Execution via Terminal WebSocket Authentication Bypass

HIGHCVE-2026-40087EXP

LangChain has incomplete f-string validation in prompt templates

HIGHCVE-2026-39981

AGiXT has a Path Traversal in safe_join()

MEDIUMCVE-2026-34052

LTI JupyterHub Authenticator: Unbounded Memory Growth via Nonce Storage (Denial of Service)

HIGHCVE-2024-49048

TorchGeo Remote Code Execution Vulnerability

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 3, 2026

Discovered by ZDM

Apr 3, 2026

Updated: affectedVersions, severity

Apr 4, 2026

Patch Available

Apr 6, 2026

Version History

v2

Last enriched 5d ago

v2Tier C5d ago

Updated affected versions to include 1.2.4, changed severity to MEDIUM, and noted that no exploit is available.

affectedVersionsseverity

via VulDB

v16d ago

Initial creation