CVE-2025-30358
Published: 27 March 2025
Summary
CVE-2025-30358 is a high-severity Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915) vulnerability. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the LLM/Generative AI Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SC-4 (Information in Shared System Resources) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2025-30358 by requiring timely flaw remediation through patching, such as upgrading Mesop to version 0.14.1 to prevent unauthorized overwrites of global variables and class attributes.
Validates all user inputs to block malicious payloads that could exploit the class pollution vulnerability by overwriting globals and class attributes in Mesop modules at runtime.
Prevents unauthorized modification of shared system resources, such as global variables and class attributes targeted by the prototype pollution-style attack in Mesop.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Class pollution vulnerability in Mesop web framework enables exploitation of public-facing applications (T1190) for potential RCE via runtime control-flow manipulation, application-level DoS (T1499.004), and impersonation of assistant/system roles (T1656).
NVD Description
Mesop is a Python-based UI framework that allows users to build web applications. A class pollution vulnerability in Mesop prior to version 0.14.1 allows attackers to overwrite global variables and class attributes in certain Mesop modules during runtime. This vulnerability…
more
could directly lead to a denial of service (DoS) attack against the server. Additionally, it could also result in other severe consequences given the application's implementation, such as identity confusion, where an attacker could impersonate an assistant or system role within conversations. This impersonation could potentially enable jailbreak attacks when interacting with large language models (LLMs). Just like the Javascript's prototype pollution, this vulnerability could leave a way for attackers to manipulate the intended data-flow or control-flow of the application at runtime and lead to severe consequences like remote code execution when gadgets are available. Users should upgrade to version 0.14.1 to obtain a fix for the issue.
Deeper analysisAI
CVE-2025-30358 is a class pollution vulnerability affecting Mesop, a Python-based UI framework for building web applications, in versions prior to 0.14.1. The flaw allows attackers to overwrite global variables and class attributes in certain Mesop modules during runtime, akin to JavaScript prototype pollution. This manipulation can alter the application's data-flow or control-flow, with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H) and is classified under CWE-915.
Attackers with low privileges, such as authenticated users accessible over the network, can exploit this vulnerability without user interaction. Successful exploitation directly enables denial-of-service (DoS) attacks against the server by disrupting availability. It also facilitates identity confusion, allowing impersonation of assistant or system roles in conversations, which could enable jailbreak attacks when Mesop interacts with large language models (LLMs). Depending on the application's implementation and available gadgets, it may escalate to remote code execution.
The Mesop security advisory (GHSA-f3mf-hm6v-jfhh) and associated patch commit recommend upgrading to version 0.14.1, which addresses the class pollution issue by preventing unauthorized overwrites of global variables and class attributes.
This vulnerability has particular relevance to AI/ML deployments, as its potential for LLM jailbreaks highlights risks in frameworks bridging UI and language model interactions, though no real-world exploitation has been reported.
Details
- CWE(s)
AI Security AnalysisAI
- AI Category
- Enterprise AI Assistants
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Mesop is a Python-based UI framework for building web applications, commonly used in AI contexts involving assistants and LLMs. The vulnerability enables impersonation of assistant or system roles in conversations, facilitating jailbreak attacks on LLMs, aligning with Enterprise AI Assistants.