CVE-2025-30358
Published: 27 March 2025
Summary
CVE-2025-30358 is a high-severity Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915) vulnerability. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 14.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as LLM Application Platforms; in the LLM/Generative AI Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SC-4 (Information in Shared System Resources) and SI-10 (Information Input Validation).
Deeper analysis
Mesop, a Python-based UI framework for building web applications, is affected by a class pollution vulnerability in versions prior to 0.14.1. The flaw, tracked as CWE-915, permits attackers to overwrite global variables and class attributes in specific Mesop modules at runtime, analogous to JavaScript prototype pollution and capable of altering intended data or control flows.
An authenticated attacker with network access can exploit the issue to trigger a denial of service against the server. Depending on application implementation, the same mechanism can enable identity confusion that impersonates assistant or system roles in LLM conversations, facilitating jailbreak attacks, or potentially escalate to remote code execution when suitable gadgets are present.
The associated GitHub Security Advisory and patch commit indicate that upgrading to Mesop 0.14.1 fully resolves the vulnerability.
The EPSS score rose from a low starting value of 0.0236 to a peak of 0.0369, indicating emerging exploitation interest after disclosure. The framework's use in LLM-facing interfaces adds particular relevance for AI/ML deployments.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-14804
Vulnerability details
Mesop is a Python-based UI framework that allows users to build web applications. A class pollution vulnerability in Mesop prior to version 0.14.1 allows attackers to overwrite global variables and class attributes in certain Mesop modules during runtime. This vulnerability…
more
could directly lead to a denial of service (DoS) attack against the server. Additionally, it could also result in other severe consequences given the application's implementation, such as identity confusion, where an attacker could impersonate an assistant or system role within conversations. This impersonation could potentially enable jailbreak attacks when interacting with large language models (LLMs). Just like the Javascript's prototype pollution, this vulnerability could leave a way for attackers to manipulate the intended data-flow or control-flow of the application at runtime and lead to severe consequences like remote code execution when gadgets are available. Users should upgrade to version 0.14.1 to obtain a fix for the issue.
- CWE(s)
AI Security AnalysisAI
- AI Category
- LLM Application Platforms
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: jailbreak, llms
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Class pollution vulnerability in Mesop web framework enables exploitation of public-facing applications (T1190) for potential RCE via runtime control-flow manipulation, application-level DoS (T1499.004), and impersonation of assistant/system roles (T1656).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates CVE-2025-30358 by requiring timely flaw remediation through patching, such as upgrading Mesop to version 0.14.1 to prevent unauthorized overwrites of global variables and class attributes.
Validates all user inputs to block malicious payloads that could exploit the class pollution vulnerability by overwriting globals and class attributes in Mesop modules at runtime.
Prevents unauthorized modification of shared system resources, such as global variables and class attributes targeted by the prototype pollution-style attack in Mesop.