CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-46730 – Mobile Security Framework (MobSF) Allows Web Server Resource Exhaustion via ZIP of Death Attack
https://notcve.org/view.php?id=CVE-2025-46730
05 May 2025 — MobSF is a mobile application security testing tool used. Typically, MobSF is deployed on centralized internal or cloud-based servers that also host other security tools and web applications. Access to the MobSF web interface is often granted to internal security teams, audit teams, and external vendors. MobSF provides a feature that allows users to upload ZIP files for static analysis. Upon upload, these ZIP files are automatically extracted and stored within the MobSF directory. • https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-c5vg-26p8-q8cr • CWE-409: Improper Handling of Highly Compressed Data (Data Amplification) •
CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 0CVE-2025-46335 – Mobile Security Framework (MobSF) Allows Stored Cross Site Scripting (XSS) via malicious SVG Icon Upload
https://notcve.org/view.php?id=CVE-2025-46335
05 May 2025 — Mobile Security Framework (MobSF) is a security research platform for mobile applications in Android, iOS and Windows Mobile. A Stored Cross-Site Scripting (XSS) vulnerability has been identified in MobSF versions up to and including 4.3.2. The vulnerability arises from improper sanitization of user-supplied SVG files during the Android APK analysis workflow. Version 4.3.3 fixes the issue. • https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/6987a946485a795f4fd38cebdb4860b368a1995d • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31116 – Mobile Security Framework (MobSF) has a SSRF Vulnerability fix bypass on assetlinks_check with DNS Rebinding
https://notcve.org/view.php?id=CVE-2025-31116
31 Mar 2025 — Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. The mitigation for CVE-2024-29190 in valid_host() uses socket.gethostbyname(), which is vulnerable to SSRF abuse using DNS rebinding technique. This vulnerability is fixed in 4.3.2. • https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/4b8bab5a9858c69fe13be4631b82d82186e0d3bd • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 8.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24803 – Stored Cross-Site Scripting (XSS) in MobSF
https://notcve.org/view.php?id=CVE-2025-24803
05 Feb 2025 — Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework. According to Apple's documentation for bundle ID's, it must contain only alphanumeric characters (A–Z, a–z, and 0–9), hyphens (-), and periods (.). However, an attacker can manually modify this value in the `Info.plist` file and add special characters to the `
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24804 – Partial Denial of Service (DoS) in MobSF
https://notcve.org/view.php?id=CVE-2025-24804
05 Feb 2025 — Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework. According to Apple's documentation for bundle ID's, it must contain only alphanumeric characters (A–Z, a–z, and 0–9), hyphens (-), and periods (.). However, an attacker can manually modify this value in the `Info.plist` file and add special characters to the `
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24805 – Local Privilege Escalation in MobSF
https://notcve.org/view.php?id=CVE-2025-24805
05 Feb 2025 — Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework. A local user with minimal privileges is able to make use of an access token for materials for scopes which it should not be accepted. This issue has been addressed in version 4.3.1 and all users are advised to upgrade. There are no known workarounds for this vulnerability. • https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/05206e72cae35b311615a70e51e1a946955c5e83 • CWE-269: Improper Privilege Management •