The Mobile Security Framework (MobSF), a widely utilized open-source tool for mobile application security analysis, has been found to contain critical vulnerabilities that could allow authenticated attackers to upload and execute malicious files. These flaws, identified as CVE-2025-58161 and CVE-2025-58162, were present in version 4.4.0 and have been addressed in the subsequent release, version 4.4.1.
Key Takeaways:
1. MobSF version 4.4.0 contained vulnerabilities that permitted attackers to exploit file path validation flaws, potentially accessing sensitive files.
2. These security issues posed risks of data leaks and system corruption.
3. Users are strongly advised to update to the latest version to mitigate these risks.
Directory Traversal Vulnerability (CVE-2025-58161):
The first vulnerability resides in the download handler function within MobSF’s codebase. This function improperly processes file paths by stripping the /download/ prefix and appending the remaining string to a designated directory using Python’s Path API.
The function `is_safe_path()` utilizes `os.path.commonprefix()` to verify that the resolved path begins with the specified safe root. However, since `commonprefix` compares raw strings, a sibling directory named `/home/mobsf/.MobSF/downloads_bak` could be incorrectly considered as being inside `/home/mobsf/.MobSF/downloads`. By issuing a crafted request, an attacker could retrieve any file with an allowed extension from the sibling directory.
This directory traversal vulnerability (CVE-2025-58161) has been assigned a Low severity rating (CVSS 3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:N) and affects all installations using version 4.4.0 of the MobSF package.
Absolute Path Slip Vulnerability (CVE-2025-58162):
The second, more severe vulnerability affects the AR archive extraction logic within MobSF. The `ar_extract()` function decodes each archive member name and filters only for relative-path traversals (e.g., .., %2e%2e), neglecting absolute filenames.
When a filtered filename begins with /, the path resolves to an absolute path. An attacker-controlled `.a` archive containing a member like `/home/mobsf/.MobSF/db.sqlite3` could result in overwriting the database file outside the intended directory.
Demonstrations have shown that uploading a crafted archive can trigger a server error and corrupt the SQLite database, leading to malfunctioning scans and potential stored cross-site scripting (XSS) attacks by tampering with static templates.
This moderate severity flaw (CVSS 3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H) enables arbitrary file writes under the MobSF process’s privileges, risking distortion of analysis results, integrity compromise, and service disruption.
Mitigation:
Credit for discovering these vulnerabilities goes to Vasily Leshchenko (Solar AppSec) and the reporter noname1337h1.
Both issues have been addressed in MobSF version 4.4.1. Users are strongly encouraged to upgrade immediately. Recommended fixes include:
– Rejecting absolute paths by normalizing input with `os.path.isabs()` checks.
– Using `os.path.commonpath()` instead of `commonprefix()` for robust directory boundary enforcement.
– Ensuring archive extraction always verifies that normalized target paths remain under the intended root.
Staying vigilant and promptly updating to patched versions is crucial to maintaining the security and integrity of systems utilizing MobSF.
