VYPR
← All advisories
High severity7.5NVD Advisory· Published Sep 18, 2024· Updated Apr 15, 2026

CVE-2024-45601

CVE-2024-45601

Description

Mesop is a Python-based UI framework designed for rapid web apps development. A vulnerability has been discovered and fixed in Mesop that could potentially allow unauthorized access to files on the server hosting the Mesop application. The vulnerability was related to insufficient input validation in a specific endpoint. This could have allowed an attacker to access files not intended to be served. Users are strongly advised to update to the latest version of Mesop immediately. The latest version includes a fix for this vulnerability. At time of publication 0.12.4 is the most recently available version of Mesop.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
mesopPyPI
>= 0.9.0, < 0.12.40.12.4

Patches

3
46077db631d9
https://github.com/google/mesopvia osv
17fb769d6a91
https://github.com/mesop-dev/mesopvia osv
17fb769d6a91

Fix web component static file serving (#942)

https://github.com/google/mesopWill ChenSep 11, 2024via ghsa
commit
6 files changed · +46 6
  • docs/guides/web-security.md+6 2 modified
    @@ -1,8 +1,12 @@
 # Web Security
 
-Mesop by default configures its apps to follow a set of web security best practices.
+## Static file serving
 
-## How
+Mesop allows serving JS and CSS files located within the Mesop app's file subtree to support [web components](../web-components/index.md).
+
+**Security Warning:** Do not place any sensitive or confidential JS and CSS files in your Mesop project directory. These files may be inadvertently exposed and served by the Mesop web server, potentially compromising your application's security.
+
+## JavaScript Security
 
 At a high-level, Mesop is built on top of Angular which provides [built-in security protections](https://angular.io/guide/security) and Mesop configures a strict [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP).
  • mesop/components/input/e2e/input_test.ts+4 2 modified
    @@ -44,7 +44,8 @@ test('test input on_blur works', async ({page}) => {
   ).toBeVisible();
 });
 
-test('test textarea shortcuts', async ({page}) => {
+// TODO: unskip this test once the flakiness is fixed
+test.skip('test textarea shortcuts', async ({page}) => {
   await page.goto('/components/input/e2e/textarea_shortcut_app');
   const textbox = page.getByLabel('Textarea');
   await textbox.fill('hi');
@@ -89,7 +90,8 @@ test('test textarea shortcuts', async ({page}) => {
   ).toBeVisible();
 });
 
-test('test native textarea shortcuts', async ({page}) => {
+// TODO: unskip this test once the flakiness is fixed
+test.skip('test native textarea shortcuts', async ({page}) => {
   await page.goto('/components/input/e2e/textarea_shortcut_app');
   const textbox = page.getByPlaceholder('Native textarea');
  • mesop/examples/web_component/BUILD+4 1 modified
    @@ -7,7 +7,10 @@ package(
 py_library(
     name = "web_component",
     srcs = glob(["*.py"]),
-    data = glob(["*.js"]),
+    data = glob([
+        "*.js",
+        "*.css",
+    ]),
     deps = [
         "//mesop",
         "//mesop/examples/web_component/async_action",
  • mesop/examples/web_component/testing.css+0 0 added
  • mesop/server/static_file_serving.py+12 1 modified
    @@ -96,8 +96,19 @@ def serve_web_components(path: str):
     serving_path = (
       get_runfile_location(path)
       if has_runfiles()
-      else os.path.join(os.getcwd(), path)
+      else safe_join(os.getcwd(), path)
     )
+
+    file_name = os.path.basename(path)
+    file_extension = os.path.splitext(file_name)[1].lower()
+    allowed_extensions = {".js", ".css"}
+    if file_extension not in allowed_extensions:
+      raise MesopException(
+        f"Unexpected file type: {file_extension}. Only {', '.join(allowed_extensions)} files are allowed."
+      )
+
+    if not serving_path:
+      raise MesopException("Unexpected request to " + path)
     return send_file_compressed(
       serving_path,
       disable_gzip_cache=disable_gzip_cache,
  • mesop/tests/e2e/web_components/web_component_serving_test.ts+20 0 added
    @@ -0,0 +1,20 @@
+import {test, expect} from '@playwright/test';
+
+test('web components serving blocks non-js/css files', async ({page}) => {
+  const response = await page.goto(
+    '/__web-components-module__/mesop/mesop/examples/web_component/quickstart/counter_component.py',
+  );
+  expect(response!.status()).toBe(500);
+});
+
+test('web components serving allows js and css files', async ({page}) => {
+  const jsResponse = await page.goto(
+    '/__web-components-module__/mesop/mesop/examples/web_component/quickstart/counter_component.js',
+  );
+  expect(jsResponse!.status()).toBe(200);
+
+  const cssResponse = await page.goto(
+    '/__web-components-module__/mesop/mesop/examples/web_component/testing.css',
+  );
+  expect(cssResponse!.status()).toBe(200);
+});

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.