Mesop is a Python-based UI framework that allows users to build web applications. Versions 1.2.2 and below contain a Path Traversal vulnerability that allows any user supplying an untrusted state_token through the UI stream payload to arbitrarily target files on the disk under the standard file-based runtime backend. This can result in application denial of service (via crash loops when reading non-msgpack target files as configurations), or arbitrary file manipulation. This vulnerability heavily exposes systems hosted utilizing FileStateSessionBackend. Unauthorized malicious actors could interact with arbitrary payloads overwriting or explicitly removing underlying service resources natively outside the application bounds. This issue has been fixed in version 1.2.3.
The attacker provides a crafted state_token parameter in the request payload to the UI stream endpoint. The vulnerable implementation does not properly validate this value, allowing the file-based backend (FileStateSessionBackend) to be directed to any file on the server disk. If the indicated file is not in msgpack format (expected by the application), a read error occurs causing a crash loop and denial of service (DoS). The attacker can also overwrite or delete system resources outside application boundaries.
An unauthenticated attacker can cause multiple application crashes (crash loop, DoS), as well as arbitrarily overwrite or delete files on the server disk outside the application scope, which can lead to permanent damage or data loss.
Mesop should be updated to version 1.2.3, in which the vulnerability has been fixed. The patch is available in the GitHub repository (commit c6b382f363b73ac32c402a2db3aadc7784f66a5b) and as an official v1.2.3 release.
Mesop (mesop-dev/mesop) in versions 1.2.2 and earlier, particularly installations using FileStateSessionBackend as the session backend.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HMesop Dev Mesop
APPMesop-Dev< 1.2.3