CVE-2025-30358: 
Python vulnerability analysis and mitigation

Mesop, a Python-based UI framework for building web applications, was found to contain a class pollution vulnerability in versions prior to 0.14.1. The vulnerability was discovered and disclosed on March 27, 2025, and assigned CVE-2025-30358. This security flaw allows attackers to overwrite global variables and class attributes in certain Mesop modules during runtime (NVD, GitHub Advisory).

The vulnerability stems from improper validation of user-controlled input that can manipulate class attributes and global variables during runtime. Similar to JavaScript's prototype pollution, this vulnerability enables attackers to alter the intended data-flow or control-flow of the application. The issue has been assigned a CVSS v3.1 base score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H, indicating network attack vector, low attack complexity, and high impact on integrity and availability (GitHub Advisory).

The vulnerability can lead to multiple severe consequences: a denial of service (DoS) attack against the server, identity confusion allowing attackers to impersonate assistant or system roles within conversations, potential jailbreak attacks when interacting with large language models (LLMs), and possible remote code execution when gadgets are available (NVD).

Users should upgrade to Mesop version 0.14.1, which contains a patch for this vulnerability. The fix includes additional validation to prevent the use of dunder properties in stateclasses, as evidenced by the patch commit (GitHub Commit).