CVE-2025-64318 Overview
CVE-2025-64318 is a prompt injection vulnerability affecting Salesforce Mulesoft Anypoint Code Builder versions before 1.12.1. The flaw stems from improper neutralization of input used for Large Language Model (LLM) prompting, classified under [CWE-94]. Attackers can manipulate writeable configuration files by supplying crafted input to the AI-assisted developer tooling. Salesforce has published a fix in version 1.12.1.
Critical Impact
Attackers can influence LLM-driven actions to modify writeable configuration files inside the Anypoint Code Builder environment, altering integration behavior without direct access to source systems.
Affected Products
- Salesforce Mulesoft Anypoint Code Builder versions before 1.12.1
- Deployments relying on AI-assisted flow generation in Anypoint Code Builder
- MuleSoft integration projects authored through vulnerable Code Builder instances
Discovery Timeline
- 2025-11-04 - CVE-2025-64318 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-64318
Vulnerability Analysis
The vulnerability resides in the LLM prompt handling path of Anypoint Code Builder. User-controlled input reaches the model without adequate sanitization, allowing prompt injection payloads to alter the model's intended behavior. Because the assistant is authorized to write configuration files as part of its normal workflow, malicious instructions can be transformed into file modifications.
The attack requires no authentication and no user interaction across the network path. Successful exploitation impacts integrity of configuration artifacts while confidentiality and availability remain unaffected. The EPSS probability sits at 0.216%, indicating low observed exploitation activity so far.
Root Cause
The root cause is missing neutralization of untrusted content flowing into LLM prompts, aligned with Code Injection semantics under [CWE-94]. The assistant treats attacker-supplied text as trusted instruction rather than data. When the model receives adversarial directives, it invokes file-write capabilities against configuration files it can already reach.
Attack Vector
An attacker delivers crafted content that the Anypoint Code Builder assistant subsequently processes, such as text embedded in resources, documentation, or artifacts consumed by the AI workflow. The injected instructions redirect the assistant toward modifying writeable configuration files. Because the network attack vector requires no privileges, indirect prompt injection through shared project material is a realistic path.
No verified public proof-of-concept code is available. See the Salesforce Help Article for vendor guidance.
Detection Methods for CVE-2025-64318
Indicators of Compromise
- Unexpected modifications to MuleSoft project configuration files that correlate with AI assistant sessions
- Configuration diffs introducing endpoints, credentials references, or connector settings not present in developer commits
- Anomalous file write events from the Anypoint Code Builder process outside normal editing activity
Detection Strategies
- Baseline the set of configuration files Anypoint Code Builder writes during standard workflows and alert on deviations
- Correlate AI assistant prompt logs with subsequent file system changes to detect prompt-to-action anomalies
- Review version control history for configuration changes lacking a corresponding developer authored commit
Monitoring Recommendations
- Ingest Anypoint Code Builder audit logs into a centralized data lake such as Singularity Data Lake for cross-source correlation with endpoint telemetry
- Monitor developer workstations for file modifications to MuleSoft configuration paths performed by IDE-integrated LLM processes
- Track version drift of Anypoint Code Builder installations to identify hosts still running builds prior to 1.12.1
How to Mitigate CVE-2025-64318
Immediate Actions Required
- Upgrade Salesforce Mulesoft Anypoint Code Builder to version 1.12.1 or later on all developer endpoints
- Audit configuration files in active MuleSoft projects for unauthorized modifications introduced by AI assistant sessions
- Restrict the assistant's file-write scope where the platform permits granular capability configuration
Patch Information
Salesforce addressed the vulnerability in Anypoint Code Builder 1.12.1. Refer to the Salesforce Help Article for official remediation details and upgrade instructions.
Workarounds
- Avoid processing untrusted external content, such as third-party documentation or artifacts, through the Anypoint Code Builder AI assistant until patched
- Require code review on all configuration file changes originating from AI-assisted sessions before merging to protected branches
- Isolate developer environments running vulnerable versions from production integration credentials
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

