Mesop Class Pollution Vulnerability Allowing Denial-of-Service and Potential Identity Confusion

A class pollution vulnerability has been identified in the Mesop UI framework for Python, in versions through 0.14.0. This vulnerability allows attackers to overwrite global variables and class attributes in certain Mesop modules at runtime. The exploitation of this vulnerability could lead to a denial-of-service (DoS) condition on the server. Furthermore, depending on the application's implementation, it could cause identity confusion by allowing an attacker to impersonate an assistant or system role in conversations. Such impersonation could facilitate jailbreak attacks when interacting with large language models (LLMs). Similar to prototype pollution vulnerabilities in JavaScript, this issue could enable attackers to manipulate the application's data-flow or control-flow, potentially leading to severe consequences like remote code execution if suitable conditions are met.

Impact

Exploitation of this vulnerability could cause a denial-of-service condition on the server. Additionally, it could allow for identity confusion, enabling an attacker to impersonate an assistant or system role within conversations, which could lead to jailbreak attacks when interacting with large language models (LLMs).

Reproduction

The vulnerability can be reproduced by using the 'update_dataclass_from_json' function to overwrite global variables with a payload that includes dunder properties. This can be done by passing a JSON string that targets the '__globals__' attribute of a class's __init__ method, effectively polluting the class with manipulated data. The presence of this pollution can be verified by checking if the global variable has been altered, which would indicate successful exploitation.

Remediation

Users are advised to upgrade to Mesop version 0.14.1, which addresses this vulnerability.