A critical path traversal vulnerability in the Mesop framework allows unauthenticated attackers to arbitrarily target, manipulate, or delete files on the server.

The vulnerability exists in the handling of the state_token through the UI stream payload. Unauthorized actors can supply crafted tokens to target files outside the application bounds when the FileStateSessionBackend is utilized, leading to arbitrary file manipulation or denial of service.

With a CVSS score of 10.0, this vulnerability represents a total compromise of system integrity and availability. Attackers can delete critical service resources or overwrite configurations, causing permanent data loss or persistent denial of service. This level of access to the underlying filesystem is a critical threat to any organization hosting Mesop-based applications.

Immediate Action: Update Mesop to version 1.2.3 immediately to fix the path traversal logic and secure the session backend.

Proactive Monitoring: Monitor for unexpected file system changes or application crash loops that may indicate an attempted exploit of the file-based runtime backend.

Compensating Controls: If using the FileStateSessionBackend, switch to a more secure session management backend or implement strict filesystem permissions to limit the application's write access.

Public Exploit Available: No

The ability to manipulate arbitrary files on the host system requires immediate corrective action. Organizations must prioritize the update to Mesop 1.2.3. Failure to do so leaves the server highly vulnerable to both data destruction and system instability.