Unchecked Vulnerability in MobSF Security Testing Tool Permits Attackers to Introduce Malicious Data Files
In a recent discovery, two critical vulnerabilities have been identified in the Mobile Security Framework (MobSF), a popular open-source mobile application security testing tool. These vulnerabilities, if exploited, could pose significant risks to the integrity and functionality of MobSF.
The first vulnerability, known as the Absolute Path Slip vulnerability (CVE-2025-58162), resides in the AR archive extraction logic within the file. This vulnerability arises from improper path validation, allowing authenticated attackers to upload and execute malicious files. An attacker-controlled .a archive containing an absolute filename can lead to overwriting a file outside the intended static_objects directory, potentially causing distortion of analysis results, integrity compromise, and service disruption.
The severity of this flaw is Moderate (CVSS 3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H). The vulnerability has been addressed in version 4.4.1, and users are advised to upgrade immediately.
The recommended fixes for this vulnerability include rejecting absolute paths, using for robust directory boundary enforcement, and ensuring archive extraction always verifies that normalized target paths remain under the intended root.
The second vulnerability, the Directory Traversal Vulnerability (CVE-2025-58161), is a problem in the download handler of MobSF/views/home.py. This vulnerability carries a Low severity rating (CVSS 3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:N). It allows an attacker to retrieve any file with an allowed extension from a sibling directory. Uploading a crafted archive triggers a server error and corrupts the SQLite database, leading to malfunctioning scans.
Both issues have been addressed in MobSF 4.4.1, and users are encouraged to upgrade as soon as possible.
These vulnerabilities underscore the importance of rigorous sanitization when handling user-supplied file paths and archives. The discoverers of these vulnerabilities are Vasily Leshchenko (Solar AppSec) and noname1337h1, whose work highlights the continuous need for vigilance in maintaining the security of open-source tools.
For more instant updates, follow Google News, LinkedIn, and X for the latest news and advisories.
