Mesop WebSocket Uncontrolled Resource Consumption Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in the Mesop framework, specifically in versions 1.2.3 prior to 1.2.5. The issue arises from an uncontrolled resource consumption flaw in the WebSocket implementation. An unauthenticated attacker can send a rapid succession of messages, causing the server to spawn an unbounded number of operating system threads. This behavior leads to thread exhaustion and out-of-memory errors, causing any application built on the framework to become unresponsive. The vulnerability has been patched in version 1.2.5.

Impact

Exploitation of this vulnerability causes thread exhaustion and out-of-memory errors on the server, leading to a complete denial-of-service condition for applications using the Mesop framework.

Reproduction

To reproduce this vulnerability, upload a Python script that floods the WebSocket endpoint with messages. The script should connect to the WebSocket URL of the target Mesop application, send a high volume of messages, and monitor the server's resource usage. The server will become unresponsive or crash due to the excessive thread and memory consumption.

Remediation

Users can upgrade to Mesop version 1.2.5 or later, where this vulnerability has been fixed.