CVE-2024-30254
MEDIUMmesonlsp < 4.1.4 - Arbitrary File Write via Crafted Project or --full Mode
Title source: llmDescription
MesonLSP is an unofficial, unendorsed language server for meson written in C++. A vulnerability in versions prior to 4.1.4 allows overwriting arbitrary files if the attacker can make the victim either run the language server within a specific crafted project or `mesonlsp --full`. Version 4.1.4 contains a patch for this issue. As a workaround, avoid running `mesonlsp --full` and set the language server option `others.neverDownloadAutomatically` to `true`.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/JCWasmx86/mesonlsp/security/advisories/GHSA-48c5-35fh-846h
Scores
CVSS v3
5.8
EPSS
0.0019
EPSS Percentile
8.6%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Products (1)
JCWasmx86/mesonlsp
< 4.1.4
Published
Apr 04, 2024
Tracked Since
Feb 18, 2026