GHSA-8qvf-mr4w-9x2c: Mesop has a Path Traversal utilizing `FileStateSessionBackend` leads to Application Denial of Service and File Write/Deletion
criticalvulnerability
security
Summary
Mesop has a path traversal vulnerability (a technique where an attacker uses sequences like `../` to escape intended directory boundaries) in its file-based session backend that allows attackers to read, write, or delete arbitrary files on the server by crafting malicious `state_token` values in messages sent to the `/ui` endpoint. This can crash the application or give attackers unauthorized access to system files.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Patch Available
Yes
Disclosure Date
March 18, 2026
Classification
Attack Type
Supply Chain
Attack SophisticationTrivial
Impact (CIA+S)
integrityavailability
Taxonomy References
MITRE ATLAS (AI/ML Threat Technique)
Affected Vendors
Google
Affected Packages
mesop@<= 1.2.2 (fixed: 1.2.3)
Related Issues
Original source: https://github.com/advisories/GHSA-8qvf-mr4w-9x2c
First tracked: March 18, 2026 at 04:59 PM
Classified by LLM (prompt v3) · confidence: 92%