CVE-2025-30358: Mesop Class Pollution DoS Vulnerability

CVE-2025-30358 Overview

Mesop is a Python-based UI framework for building web applications. CVE-2025-30358 is a class pollution vulnerability affecting Mesop versions prior to 0.14.1. Attackers with low privileges can overwrite global variables and class attributes in Mesop modules at runtime. The flaw is tracked under [CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes].

Exploitation enables denial of service against the server and can extend to identity confusion in LLM-driven applications. An attacker can impersonate the assistant or system role within conversations, potentially enabling jailbreak attacks against large language models (LLMs). When suitable gadgets exist, the vulnerability can escalate to remote code execution.

Critical Impact

Class pollution allows runtime manipulation of application data and control flow, leading to denial of service, LLM jailbreaks via role impersonation, and potential remote code execution.

Affected Products

• Mesop versions prior to 0.14.1
• Python web applications built on the Mesop framework
• LLM-integrated chat interfaces using Mesop components

Discovery Timeline

• 2025-03-27 - CVE-2025-30358 published to NVD
• 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-30358

Vulnerability Analysis

The vulnerability is a class pollution flaw, the Python equivalent of JavaScript prototype pollution. Mesop modules expose attribute assignment paths that recursively traverse object attributes without restriction. An authenticated attacker can submit crafted input that walks through __class__, __init__, or __globals__ chains and overwrites module-level globals or class attributes.

Once a global variable or class attribute is overwritten, every subsequent request handled by the affected Mesop process inherits the polluted value. The polluted state persists for the lifetime of the worker. This shifts the impact from a single request to a server-wide compromise of application state.

In LLM-backed Mesop applications, attackers can overwrite role identifiers or message-handling attributes. This produces identity confusion: attacker-supplied content is rendered as if it originated from the system or assistant role. The result is a reliable channel for prompt injection and jailbreak attacks against the underlying model.

Root Cause

The root cause is unsafe recursive attribute assignment in Mesop's state-handling logic. The framework does not block traversal into dunder attributes such as __class__ or __globals__ when resolving attribute paths from untrusted input.

Attack Vector

The attack vector is network-based and requires low-privileged authenticated access to the Mesop application. An attacker submits a request containing an attribute path that references internal class or module attributes. The framework processes the path and writes attacker-controlled values into shared runtime state.

No public proof-of-concept has been released. Refer to the GitHub Security Advisory GHSA-f3mf-hm6v-jfhh and the GitHub Commit Update for technical details on the fix.

Detection Methods for CVE-2025-30358

Indicators of Compromise

• Request payloads containing dunder attribute names such as __class__, __init__, __globals__, or __mro__ targeting Mesop endpoints.
• Unexpected changes to Mesop module-level globals or class defaults observed across worker processes.
• LLM conversation logs showing assistant or system messages that do not match server-generated content.
• Process restarts or worker crashes correlated with malformed state-update requests.

Detection Strategies

• Inspect HTTP request bodies sent to Mesop state endpoints for attribute paths referencing Python dunder attributes.
• Compare runtime values of critical Mesop class attributes against known-good baselines on a recurring schedule.
• Correlate authenticated user sessions with anomalous role tokens appearing in LLM transcripts.

Monitoring Recommendations

• Enable verbose logging on Mesop request handlers and forward logs to a centralized analytics platform.
• Alert on any payload field containing the substrings __class__, __globals__, or __bases__.
• Track per-worker memory and behavior drift indicative of persistent state pollution.

How to Mitigate CVE-2025-30358

Immediate Actions Required

• Upgrade Mesop to version 0.14.1 or later on all production and staging hosts.
• Audit all Mesop applications for custom code that performs recursive setattr operations on user-controlled paths.
• Restrict network access to Mesop applications using authentication and IP allowlisting where feasible.
• Restart worker processes after deployment to clear any polluted runtime state.

Patch Information

The Mesop maintainers fixed CVE-2025-30358 in version 0.14.1. The patch is published in commit 748e20d4 and documented in GHSA-f3mf-hm6v-jfhh. Upgrade using pip install --upgrade mesop>=0.14.1.

Workarounds

• No vendor-supplied workaround exists; upgrading to 0.14.1 is the required remediation.
• If upgrade is delayed, place Mesop behind a reverse proxy that strips request fields containing Python dunder attribute names.
• Isolate Mesop workers per tenant so polluted state cannot cross trust boundaries.

# Upgrade Mesop to the patched version
pip install --upgrade 'mesop>=0.14.1'

# Verify installed version
python -c "import mesop; print(mesop.__version__)"