CVE-2026-34824: Mesop: Unbounded Thread Creation in WebSocket Handler Leads to Denial of Service

April 3, 2026 (updated April 6, 2026)

An uncontrolled resource consumption vulnerability exists in the WebSocket implementation of the Mesop framework. An unauthenticated attacker can send a rapid succession of WebSocket messages, forcing the server to spawn an unbounded number of operating system threads. This leads to thread exhaustion and Out of Memory (OOM) errors, causing a complete Denial of Service (DoS) for any application built on the framework.

References

github.com/advisories/GHSA-3jr7-6hqp-x679
github.com/mesop-dev/mesop
github.com/mesop-dev/mesop/commit/760a2079b5c609038c826d24dfbcf9b0be98d987
github.com/mesop-dev/mesop/releases/tag/v1.2.5
github.com/mesop-dev/mesop/security/advisories/GHSA-3jr7-6hqp-x679
nvd.nist.gov/vuln/detail/CVE-2026-34824

Code Behaviors & Features

Detect and mitigate CVE-2026-34824 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →