प्लेटफ़ॉर्म
python
घटक
mesa
में ठीक किया गया
3.5.1
Mesa is an open-source Python library used for agent-based modeling, enabling simulations of complex systems. CVE-2026-29075 exposes a remote code execution (RCE) vulnerability within Mesa versions 3.5.0 and earlier. This flaw arises from the insecure handling of untrusted code during the benchmarks.yml workflow, potentially allowing attackers to execute arbitrary code with elevated privileges. A patch addressing this issue has been released.
The vulnerability lies in Mesa's benchmarks.yml workflow, which automatically checks out code. An attacker could craft malicious code within this workflow, which, when executed by the privileged runner, would grant them control over the system. This could lead to data breaches, system compromise, and potentially, complete control of the environment where Mesa is deployed. The impact is particularly severe because agent-based modeling is often used in sensitive domains like financial modeling or scientific research, where data integrity and confidentiality are paramount. Successful exploitation could allow an attacker to inject malicious code into the simulation process, leading to inaccurate results or the theft of sensitive data.
This vulnerability was publicly disclosed on 2026-03-06. No public proof-of-concept (PoC) code has been released at the time of writing. The EPSS score is currently pending evaluation. It is not currently listed on the CISA KEV catalog. Given the RCE nature and the potential for privilege escalation, this vulnerability warrants careful attention and prompt remediation.
Organizations and individuals utilizing Mesa for agent-based modeling, particularly those running simulations in environments with limited access controls or where the runner environment has elevated privileges. Researchers and developers who have customized the benchmarks.yml workflow are also at increased risk.
• python / supply-chain:
import os
import subprocess
# Check Mesa version
result = subprocess.run(['pip', 'show', 'mesa'], capture_output=True, text=True)
if result.returncode == 0:
mesa_version = result.stdout.split('Version: ')[1].split('\n')[0]
if float(mesa_version) <= 3.5:
print("Mesa version is vulnerable.")
else:
print("Mesa is not installed.")• generic web: Check for unusual files or modifications within the Mesa installation directory, particularly related to the benchmarks.yml workflow.
disclosure
एक्सप्लॉइट स्थिति
EPSS
0.12% (31% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation is to upgrade to a patched version of Mesa. The fix is available in commit c35b8cd. If upgrading is not immediately feasible, consider temporarily disabling the benchmarks.yml workflow or restricting access to the runner environment. Review the benchmarks.yml file for any suspicious code or configurations. Implement strict code review processes for any custom benchmarks or extensions added to Mesa. After upgrading, confirm the fix by running the benchmarks.yml workflow with a known safe codebase and verifying that no unauthorized code execution occurs.
Actualice la biblioteca Mesa a una versión posterior al commit c35b8cd. Esto solucionará la vulnerabilidad de ejecución de código al extraer código no confiable en el flujo de trabajo `benchmarks.yml`.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-29075 is a remote code execution vulnerability affecting Mesa versions up to 3.5.0. It allows attackers to execute arbitrary code within a privileged runner due to insecure handling of untrusted code in the benchmarks.yml workflow.
You are affected if you are using Mesa version 3.5.0 or earlier. Check your Mesa version using pip show mesa and upgrade if necessary.
Upgrade to a patched version of Mesa containing commit c35b8cd. If immediate upgrade is not possible, disable the benchmarks.yml workflow or restrict runner access.
There are currently no confirmed reports of active exploitation, but the vulnerability's RCE nature warrants prompt remediation.
Refer to the Mesa project's official website and GitHub repository for updates and advisories related to CVE-2026-29075.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी requirements.txt फ़ाइल अपलोड करें और तुरंत जानें कि आप प्रभावित हैं या नहीं।