Cyber Resilience

CVE-2025-30358

High

Published: 27 March 2025

Published
27 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0236 85.3th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-30358 is a high-severity Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915) vulnerability. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 14.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the LLM/Generative AI Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SC-4 (Information in Shared System Resources) and SI-10 (Information Input Validation).

Deeper analysis

Mesop, a Python-based UI framework for building web applications, is affected by a class pollution vulnerability in versions prior to 0.14.1. The flaw, tracked as CWE-915, permits attackers to overwrite global variables and class attributes in specific Mesop modules at runtime, analogous to JavaScript prototype pollution and capable of altering intended data or control flows.

An authenticated attacker with network access can exploit the issue to trigger a denial of service against the server. Depending on application implementation, the same mechanism can enable identity confusion that impersonates assistant or system roles in LLM conversations, facilitating jailbreak attacks, or potentially escalate to remote code execution when suitable gadgets are present.

The associated GitHub Security Advisory and patch commit indicate that upgrading to Mesop 0.14.1 fully resolves the vulnerability.

The EPSS score rose from a low starting value of 0.0236 to a peak of 0.0369, indicating emerging exploitation interest after disclosure. The framework's use in LLM-facing interfaces adds particular relevance for AI/ML deployments.

EU & UK References

Vulnerability details

Mesop is a Python-based UI framework that allows users to build web applications. A class pollution vulnerability in Mesop prior to version 0.14.1 allows attackers to overwrite global variables and class attributes in certain Mesop modules during runtime. This vulnerability…

more

could directly lead to a denial of service (DoS) attack against the server. Additionally, it could also result in other severe consequences given the application's implementation, such as identity confusion, where an attacker could impersonate an assistant or system role within conversations. This impersonation could potentially enable jailbreak attacks when interacting with large language models (LLMs). Just like the Javascript's prototype pollution, this vulnerability could leave a way for attackers to manipulate the intended data-flow or control-flow of the application at runtime and lead to severe consequences like remote code execution when gadgets are available. Users should upgrade to version 0.14.1 to obtain a fix for the issue.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: jailbreak, llms

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
T1684.001 Impersonation Stealth
Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf.
Why these techniques?

Class pollution vulnerability in Mesop web framework enables exploitation of public-facing applications (T1190) for potential RCE via runtime control-flow manipulation, application-level DoS (T1499.004), and impersonation of assistant/system roles (T1656).

CVEs Like This One

CVE-2026-40897Shared CWE-915
CVE-2026-33453Shared CWE-915
CVE-2026-29056Shared CWE-915
CVE-2026-45229Shared CWE-915
CVE-2026-34427Shared CWE-915
CVE-2026-48150Shared CWE-915
CVE-2025-15602Shared CWE-915
CVE-2026-6912Shared CWE-915
CVE-2026-34406Shared CWE-915
CVE-2026-34179Shared CWE-915

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2025-30358 by requiring timely flaw remediation through patching, such as upgrading Mesop to version 0.14.1 to prevent unauthorized overwrites of global variables and class attributes.

prevent

Validates all user inputs to block malicious payloads that could exploit the class pollution vulnerability by overwriting globals and class attributes in Mesop modules at runtime.

prevent

Prevents unauthorized modification of shared system resources, such as global variables and class attributes targeted by the prototype pollution-style attack in Mesop.

References