Plattform
python
Komponente
mesa
Behoben in
3.5.1
Mesa is an open-source Python library used for agent-based modeling, enabling simulations of complex systems. CVE-2026-29075 exposes a remote code execution (RCE) vulnerability within Mesa versions 3.5.0 and earlier. This flaw arises from the insecure handling of untrusted code during the benchmarks.yml workflow, potentially allowing attackers to execute arbitrary code with elevated privileges. A patch addressing this issue has been released.
An attacker could exploit this vulnerability by crafting malicious code within the benchmarks.yml workflow. When a user checks out this workflow, the attacker's code would be executed on the privileged runner, potentially granting the attacker full control over the system. This could lead to data theft, system compromise, or further lateral movement within the network. The blast radius extends to any system running vulnerable Mesa instances, particularly those used in automated testing or continuous integration pipelines where the benchmarks.yml workflow is executed.
This vulnerability was publicly disclosed on 2026-03-06. There is currently no indication of active exploitation in the wild, but the ease of exploitation and the potential impact warrant careful attention. The vulnerability's presence in a CI/CD pipeline makes it a particularly attractive target. No KEV listing at the time of writing.
Organizations and individuals utilizing Mesa for agent-based modeling, particularly those running simulations in environments with limited access controls or where the runner environment has elevated privileges. Researchers and developers who have customized the benchmarks.yml workflow are also at increased risk.
• python / supply-chain:
import os
import subprocess
# Check Mesa version
result = subprocess.run(['pip', 'show', 'mesa'], capture_output=True, text=True)
if result.returncode == 0:
mesa_version = result.stdout.split('Version: ')[1].split('\n')[0]
if float(mesa_version) <= 3.5:
print("Mesa version is vulnerable.")
else:
print("Mesa is not installed.")• generic web: Check for unusual files or modifications within the Mesa installation directory, particularly related to the benchmarks.yml workflow.
disclosure
Exploit-Status
EPSS
0.12% (31% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade to a patched version of Mesa, specifically version 3.5.1 or later, which contains the fix committed as c35b8cd. If an immediate upgrade is not feasible, consider temporarily disabling the benchmarks.yml workflow or restricting access to it to trusted users only. Review and audit all code within the benchmarks.yml workflow to ensure its integrity. Implement strict code review processes for any external code included in this workflow. After upgrade, confirm by running the benchmarks workflow with a known-good repository to verify the fix.
Actualice la biblioteca Mesa a una versión posterior al commit c35b8cd. Esto solucionará la vulnerabilidad de ejecución de código al extraer código no confiable en el flujo de trabajo `benchmarks.yml`.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-29075 is a remote code execution vulnerability affecting Mesa versions up to 3.5.0. It allows attackers to execute arbitrary code within a privileged runner due to insecure handling of untrusted code in the benchmarks.yml workflow.
You are affected if you are using Mesa version 3.5.0 or earlier. Check your Mesa version using pip show mesa and upgrade if necessary.
Upgrade to a patched version of Mesa containing commit c35b8cd. If immediate upgrade is not possible, disable the benchmarks.yml workflow or restrict runner access.
There are currently no confirmed reports of active exploitation, but the vulnerability's RCE nature warrants prompt remediation.
Refer to the Mesa project's official website and GitHub repository for updates and advisories related to CVE-2026-29075.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.