Mesop Unauthenticated Remote Code Execution Vulnerability in AI Testing Module
Vulnerability
A remote code execution vulnerability has been identified in the Mesop UI framework for Python, specifically in versions through 1.2.2. The issue arises from an unprotected web endpoint in the AI testing module that accepts and executes untrusted Python code. This vulnerability allows anyone who can send HTTP requests to the server to execute commands on the host machine. The flaw has been addressed in version 1.2.3.
Impact
Exploitation of this vulnerability allows for unrestricted remote code execution on the host machine.
Reproduction
To reproduce this vulnerability, send a POST request to the '/exec-py' endpoint of a Mesop application running version 1.2.2 or below. The request must include a base64-encoded Python script in the 'code' parameter. The server will decode the payload, save it to the operating system's logic path, and execute it, thereby granting command execution rights on the host machine.
Remediation
Users can upgrade to Mesop version 1.2.3 to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.