Mesop Path Traversal Vulnerability in FileStateSessionBackend Allows Arbitrary File Access and Denial-of-Service

A path traversal vulnerability has been identified in Mesop versions 1.2.2 and prior. This vulnerability allows users to manipulate the 'state_token' in the UI stream payload, targeting arbitrary files on the disk when the application is using the 'FileStateSessionBackend' for session management. Exploitation of this vulnerability can lead to application denial-of-service, caused by crash loops from reading non-msgpack files as configurations, or allow unauthorized file manipulation. The issue arises because the 'state_token' is taken from an untrusted source and passed directly to the file backend, where standard path traversal techniques can be used to escape the intended directory and access sensitive files.

Impact

Exploitation of this vulnerability could cause application crashes or allow unauthorized users to overwrite or delete files on the server, disrupting normal application operations and potentially leading to data loss.

Reproduction

To reproduce this vulnerability, send a crafted Protobuf message to the '/ui' stream endpoint. The message should include a 'state_token' that uses path traversal techniques to target a file outside the intended directory, such as '/etc/passwd' on Linux or a system file on Windows. The server will attempt to process the targeted file, leading to a crash or unauthorized file access, depending on the request.

Remediation

Users can upgrade to Mesop version 1.2.3, which addresses the path traversal vulnerability by adding proper validation to the 'state_token' before it is processed by the 'FileStateSessionBackend'.