Medium severity5.8OSV Advisory· Published Apr 4, 2024· Updated Apr 15, 2026

CVE-2024-30254

Description

MesonLSP is an unofficial, unendorsed language server for meson written in C++. A vulnerability in versions prior to 4.1.4 allows overwriting arbitrary files if the attacker can make the victim either run the language server within a specific crafted project or mesonlsp --full. Version 4.1.4 contains a patch for this issue. As a workaround, avoid running mesonlsp --full and set the language server option others.neverDownloadAutomatically to true.

Affected products

Jcwasmx86/MesonlspOSV
Range: v1.0, v1.1, v1.2, …

Patches

594b63340613

https://github.com/jcwasmx86/mesonlspvia osv

commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/JCWasmx86/mesonlsp/commit/594b6334061371911cd59389124ab8af30ce0a3anvd
github.com/JCWasmx86/mesonlsp/security/advisories/GHSA-48c5-35fh-846hnvd

News mentions

No linked articles in our index yet.

cvss	0.377
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000