CVE-2025-30358: Mesop Class Pollution Vulnerability Leading to DoS and Jailbreak Attacks

Executive Summary

CVE-2025-30358 describes a class pollution vulnerability affecting Mesop, a Python-based UI framework. Versions prior to 0.14.1 are susceptible to attackers overwriting global variables and class attributes in specific Mesop modules during runtime. This can lead to denial-of-service (DoS) attacks and, potentially, jailbreak attacks when interacting with large language models (LLMs) due to identity confusion. The vulnerability stems from improperly controlled modification of dynamically-determined object attributes (CWE-915). Users are advised to upgrade to version 0.14.1 to mitigate this risk.

Technical Details

• Affected Software: Mesop
• Affected Versions: Versions prior to 0.14.1
• Vulnerability Type: Class Pollution (Improperly Controlled Modification of Dynamically-Determined Object Attributes - CWE-915)
• Attack Vector: Network
• Impact: Denial of Service (DoS), Jailbreak Attacks, Identity Confusion
• CVSS v3.1 Score: 8.1 (HIGH)
  • AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
• Affected Component: mesop/dataclass_utils/dataclass_utils.py

The vulnerability resides in how Mesop handles updates to dataclass instances from JSON data. Specifically, the update_dataclass_from_json function, along with its recursive helper _recursive_update_dataclass_from_json_obj, iterates through the keys of a JSON dictionary and attempts to update corresponding attributes of a dataclass instance. The lack of proper input validation allows an attacker to inject specially crafted JSON payloads containing "dunder" properties (properties starting and ending with double underscores, e.g., __init__, __class__, __globals__). These dunder properties, when successfully injected, can modify the class itself or even the global namespace, leading to unpredictable and potentially catastrophic consequences.

Root Cause Analysis

The root cause of CVE-2025-30358 is the insufficient input validation within the _recursive_update_dataclass_from_json_obj function. The function iterates through the keys in the provided JSON dictionary and directly uses these keys to access and modify attributes of the dataclass instance. This direct mapping from JSON key to object attribute without proper sanitization allows for the injection of dunder properties.

Here's the vulnerable code snippet:

def _recursive_update_dataclass_from_json_obj(instance: Any, json_dict: Any):
  for key, value in json_dict.items():
    if hasattr(instance, key):
      attr = getattr(instance, key)
      if isinstance(value, dict):
        _recursive_update_dataclass_from_json_obj(attr, value)
      else:
        setattr(instance, key, value)

An attacker can exploit this by crafting a JSON payload that includes dunder properties like __class__ or __globals__. For example, the following JSON payload could be used to attempt to modify the __name__ attribute within the global namespace:

{
  "__init__": {
    "__globals__": {
      "__name__": "polluted"
    }
  }
}

This payload attempts to modify the __name__ attribute of the global namespace by injecting a nested dictionary structure. The update_dataclass_from_json function, without proper validation, would attempt to traverse this structure and ultimately use setattr to modify the __name__ attribute, leading to class pollution.

The impact of this pollution can range from simple denial-of-service attacks to more sophisticated exploits, such as identity confusion in applications that rely on specific class attributes or global variables for authentication or authorization. In scenarios involving LLMs, this could lead to jailbreak attacks by manipulating the context or behavior of the model.

Patch Analysis

The fix for CVE-2025-30358, implemented in commit 748e20d4a363d89b841d62213f5b0c6b4bed788f, introduces a check within the _recursive_update_dataclass_from_json_obj function to prevent the use of dunder properties.

Here's the relevant code diff:

--- a/mesop/dataclass_utils/dataclass_utils.py
+++ b/mesop/dataclass_utils/dataclass_utils.py
@@ -129,6 +129,10 @@ def update_dataclass_from_json(instance: Any, json_string: str):
 
 def _recursive_update_dataclass_from_json_obj(instance: Any, json_dict: Any):
   for key, value in json_dict.items():
+    if key.startswith("__") and key.endswith("__"):
+      raise MesopDeveloperException(
+        f"Cannot use dunder property: {key} in stateclass"
+      )
     if hasattr(instance, key):
       attr = getattr(instance, key)
       if isinstance(value, dict):

--- a/mesop/dataclass_utils/dataclass_utils_test.py
+++ b/mesop/dataclass_utils/dataclass_utils_test.py
@@ -14,6 +14,7 @@
   serialize_dataclass,
   update_dataclass_from_json,
 )
+from mesop.exceptions import MesopDeveloperException
 
 
 @dataclass
@@ -593,5 +594,23 @@ class ChildClass(ParentClass):
   assert has_parent(ParentClass) is False
 
 
+def test_globals_pollution():
+  @dataclass
+  class A:
+    val: str
+
+  initial_name = __name__
+  obj = A(val="default")
+  with pytest.raises(MesopDeveloperException) as exc_info:
+    update_dataclass_from_json(
+      obj, '{"__init__": {"__globals__": {"__name__": "polluted"}}}'
+    )
+  assert "Cannot use dunder property: __init__ in stateclass" in str(
+    exc_info.value
+  )
+  # Make sure __name__ has not been modified via the __globals__ pollution attempt
+  assert __name__ == initial_name
+
+
 if __name__ == "__main__":
   raise SystemExit(pytest.main(["-vv", __file__]))

The patch adds a check at the beginning of the for loop in _recursive_update_dataclass_from_json_obj. This check verifies if the key starts and ends with double underscores (__). If it does, a MesopDeveloperException is raised, preventing the modification of dunder properties. This effectively blocks the class pollution attack by preventing the attacker from injecting malicious properties into the dataclass instance.

The added test case, test_globals_pollution, verifies that attempting to inject a dunder property like __init__ raises the expected exception and that the global namespace is not modified as a result of the attempted pollution. This test case provides assurance that the patch effectively mitigates the vulnerability.

Exploitation Techniques

An attacker can exploit this vulnerability by sending a crafted JSON payload to an endpoint that uses the update_dataclass_from_json function to update a dataclass instance. The payload should contain dunder properties that, if successfully injected, would allow the attacker to modify the behavior of the application.

Here's a theoretical example of how an attacker might attempt to exploit this vulnerability to cause a denial of service:

1. Identify an endpoint: The attacker identifies an endpoint in the Mesop application that accepts JSON data and uses update_dataclass_from_json to update a dataclass instance.

2. Craft a malicious payload: The attacker crafts a JSON payload that includes a dunder property that, when modified, would cause the application to crash or become unresponsive. For example, the attacker might attempt to modify the __del__ method of a critical class to trigger an error during garbage collection.

   {
     "__class__": {
       "__del__": "malicious_code"
     }
   }
   

   Note: This is a theoretical example. The specific dunder property and its effect will depend on the application's implementation.

3. Send the payload: The attacker sends the crafted JSON payload to the identified endpoint.

4. Trigger the vulnerability: The update_dataclass_from_json function, without proper validation, attempts to update the dataclass instance with the malicious payload.

5. Denial of Service: If the attacker successfully modifies a critical dunder property, it could lead to a denial of service. For example, modifying the __del__ method could cause the application to crash during garbage collection, rendering it unavailable.

Another exploitation scenario involves identity confusion, potentially leading to jailbreak attacks in LLM-based applications. Consider a scenario where a Mesop application uses a dataclass to represent user roles and permissions. An attacker could inject a malicious payload to modify the user's role to an administrator role, granting them unauthorized access to sensitive resources.

{
  "user_role": {
    "__class__": {
      "role_name": "administrator"
    }
  }
}

This could then be leveraged to perform actions that are normally restricted to administrators, such as modifying system settings or accessing sensitive data. In the context of an LLM application, this could allow the attacker to bypass security measures and execute arbitrary code, effectively jailbreaking the model.

Disclaimer: The above exploit examples are theoretical and may require adaptation depending on the specific implementation of the Mesop application.

Mitigation Strategies

To mitigate the risk of CVE-2025-30358, the following strategies are recommended:

1. Upgrade to version 0.14.1 or later: This version includes the patch that prevents the injection of dunder properties, effectively mitigating the vulnerability.

2. Input Validation: Implement robust input validation on all data received from external sources, especially JSON data. This includes validating the structure, type, and content of the data to ensure that it conforms to the expected format and does not contain any malicious properties.

3. Principle of Least Privilege: Grant users only the minimum privileges necessary to perform their tasks. This reduces the potential impact of a successful exploit by limiting the attacker's ability to access sensitive resources or perform unauthorized actions.

4. Regular Security Audits: Conduct regular security audits of the Mesop application to identify and address potential vulnerabilities. This includes reviewing the code for insecure coding practices and performing penetration testing to simulate real-world attacks.

5. Web Application Firewall (WAF): Deploy a web application firewall (WAF) to detect and block malicious requests. A WAF can be configured to identify and block requests that contain dunder properties or other suspicious patterns.

6. Content Security Policy (CSP): Implement a Content Security Policy (CSP) to restrict the sources from which the application can load resources. This can help to prevent cross-site scripting (XSS) attacks, which could be used to exploit the vulnerability.

Timeline of Discovery and Disclosure

• 2025-03-21: Vulnerability reported to mesop-dev.
• 2025-03-27: Patch released in Mesop version 0.14.1.
• 2025-03-27: CVE-2025-30358 publicly disclosed.

References

• GitHub Security Advisory: https://github.com/mesop-dev/mesop/security/advisories/GHSA-f3mf-hm6v-jfhh
• Commit: https://github.com/mesop-dev/mesop/commit/748e20d4a363d89b841d62213f5b0c6b4bed788f
• CWE-915: https://cwe.mitre.org/data/definitions/915.html