mobsf 3.6.9 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the mobsf package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Server-side Request Forgery (SSRF) mobsf is a Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the GET request in the `_check_url` method that is specified as `allow_redirects=True`. An attacker can cause the server to make a connection to internal-only services within the organization's infrastructure by utilising the fact that `https://mydomain.com/.well-known/assetlinks.json` returns a 302 redirect and subsequent requests are sent automatically. Note: This is a bypass of the fix for CVE-2024-29190. How to fix Server-side Request Forgery (SSRF)? Upgrade `mobsf` to version 3.9.7 or higher.	[,3.9.7)
M Improper Handling of Highly Compressed Data (Data Amplification) mobsf is a Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data (Data Amplification) through the ZIP file upload functionality. An attacker can exhaust the server's disk space, leading to a complete denial of service for MobSF and potentially other applications or websites hosted on the same server by crafting a specially prepared ZIP file that expands significantly upon extraction. How to fix Improper Handling of Highly Compressed Data (Data Amplification)? Upgrade `mobsf` to version 4.4.2 or higher.	[0,4.4.2)
M Cross-site Scripting (XSS) mobsf is a Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper sanitization of user-supplied SVG files during the Android APK analysis workflow. An attacker can execute arbitrary scripts in the context of the MobSF user session by uploading a malicious SVG file as an app icon and accessing the publicly available URL. How to fix Cross-site Scripting (XSS)? Upgrade `mobsf` to version 4.4.2 or higher.	[0,4.4.2)
L Server-side Request Forgery (SSRF) mobsf is a Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) through the `valid_host` function. An attacker can manipulate the DNS resolution process to bypass security checks by exploiting the DNS rebinding technique. Note: This is only exploitable if the system uses `socket.gethostbyname()` for DNS resolution, which does not adequately handle multiple rapid changes in DNS records. How to fix Server-side Request Forgery (SSRF)? Upgrade `mobsf` to version 4.3.2 or higher.	[,4.3.2)
H Improper Privilege Management mobsf is a Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. Affected versions of this package are vulnerable to Improper Privilege Management via the `/source_code` endpoint. An attacker can access sensitive information by obtaining an API token that grants all privileges, despite having minimal user rights. How to fix Improper Privilege Management? Upgrade `mobsf` to version 4.3.2 or higher.	[,4.3.2)
H Improper Validation of Specified Type of Input mobsf is a Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. Affected versions of this package are vulnerable to Improper Validation of Specified Type of Input through the `urls.py` file where URL rules are defined. An attacker can cause the application to throw a 500 error and fail to display content by uploading a malicious application with a modified `Info.plist` file containing restricted characters in the `CFBundleIdentifier` key. How to fix Improper Validation of Specified Type of Input? Upgrade `mobsf` to version 4.3.2 or higher.	[,4.3.2)
H Cross-site Scripting (XSS) mobsf is a Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through the `dynamic_analysis.html` functionality. An attacker can perform actions as users, including administrative users, by uploading a malicious application to the Corellium platform and exploiting unsanitized input in the `bundle` identifier. How to fix Cross-site Scripting (XSS)? Upgrade `mobsf` to version 4.3.2 or higher.	[,4.3.2)
M Cross-site Scripting (XSS) mobsf is a Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper sanitization of special characters such as `<, >, /, and "` in the `Diff or Compare` functionality. An attacker can execute arbitrary scripts in the context of the user's browser. How to fix Cross-site Scripting (XSS)? Upgrade `mobsf` to version 4.3.0 or higher.	[,4.3.0)
H Arbitrary File Write via Archive Extraction (Zip Slip) mobsf is a Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. Affected versions of this package are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) via the `ar_extract` function in the `shared_func.py` component during the extraction of `.a` extension files. This vulnerability derives due to improper user input sanitization, allowing an attacker to bypass existing protections using sequences like `....//....//....//`. Exploiting this vulnerability allows an attacker to write arbitrary files to any location on the server by manipulating the file path in the archive. How to fix Arbitrary File Write via Archive Extraction (Zip Slip)? Upgrade `mobsf` to version 4.1.3 or higher.	[,4.1.3)
M URL Redirection to Untrusted Site ('Open Redirect') mobsf is a Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. Affected versions of this package are vulnerable to URL Redirection to Untrusted Site ('Open Redirect') through the authentication view by manipulating the redirect URL after a successful login. Note:* This is only exploitable if the authentication feature is enabled. How to fix URL Redirection to Untrusted Site ('Open Redirect')? Upgrade `mobsf` to version 4.1.3 or higher.	[,4.1.3)
M Server-Side Request Forgery (SSRF) mobsf is a Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF) due to the firebase database check logic. An attacker can cause the server to make connections to internal-only services within the organization's infrastructure by uploading a malicious app to the Static analyzer, enabling internal requests. How to fix Server-Side Request Forgery (SSRF)? Upgrade `mobsf` to version 4.1.3 or higher.	[,4.1.3)
H Insecure Permissions mobsf is a Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. Affected versions of this package are vulnerable to Insecure Permissions due to missing access restrictions. An attacker can append `/recent_scans/` to the URL after the homepage and gain access to APK or IPA reports, potentially leading to sensitive information disclosure. How to fix Insecure Permissions? There is no fixed version for `mobsf`.	[0,)

Vulnerability

Vulnerable Version

Server-side Request Forgery (SSRF)

mobsf is a Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the GET request in the _check_url method that is specified as allow_redirects=True. An attacker can cause the server to make a connection to internal-only services within the organization's infrastructure by utilising the fact that https://mydomain.com/.well-known/assetlinks.json returns a 302 redirect and subsequent requests are sent automatically.

Note:

This is a bypass of the fix for CVE-2024-29190.

How to fix Server-side Request Forgery (SSRF)?

Upgrade mobsf to version 3.9.7 or higher.

[,3.9.7)

Improper Handling of Highly Compressed Data (Data Amplification)

Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data (Data Amplification) through the ZIP file upload functionality. An attacker can exhaust the server's disk space, leading to a complete denial of service for MobSF and potentially other applications or websites hosted on the same server by crafting a specially prepared ZIP file that expands significantly upon extraction.

How to fix Improper Handling of Highly Compressed Data (Data Amplification)?

Upgrade mobsf to version 4.4.2 or higher.

[0,4.4.2)

Cross-site Scripting (XSS)

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper sanitization of user-supplied SVG files during the Android APK analysis workflow. An attacker can execute arbitrary scripts in the context of the MobSF user session by uploading a malicious SVG file as an app icon and accessing the publicly available URL.

How to fix Cross-site Scripting (XSS)?

Upgrade mobsf to version 4.4.2 or higher.

[0,4.4.2)

Server-side Request Forgery (SSRF)

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) through the valid_host function. An attacker can manipulate the DNS resolution process to bypass security checks by exploiting the DNS rebinding technique.

Note:

This is only exploitable if the system uses socket.gethostbyname() for DNS resolution, which does not adequately handle multiple rapid changes in DNS records.

How to fix Server-side Request Forgery (SSRF)?

Upgrade mobsf to version 4.3.2 or higher.

[,4.3.2)

Improper Privilege Management

Affected versions of this package are vulnerable to Improper Privilege Management via the /source_code endpoint. An attacker can access sensitive information by obtaining an API token that grants all privileges, despite having minimal user rights.

How to fix Improper Privilege Management?

Upgrade mobsf to version 4.3.2 or higher.

[,4.3.2)

Improper Validation of Specified Type of Input

Affected versions of this package are vulnerable to Improper Validation of Specified Type of Input through the urls.py file where URL rules are defined. An attacker can cause the application to throw a 500 error and fail to display content by uploading a malicious application with a modified Info.plist file containing restricted characters in the CFBundleIdentifier key.

How to fix Improper Validation of Specified Type of Input?

Upgrade mobsf to version 4.3.2 or higher.

[,4.3.2)

Cross-site Scripting (XSS)

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through the dynamic_analysis.html functionality. An attacker can perform actions as users, including administrative users, by uploading a malicious application to the Corellium platform and exploiting unsanitized input in the bundle identifier.

How to fix Cross-site Scripting (XSS)?

Upgrade mobsf to version 4.3.2 or higher.

[,4.3.2)

Cross-site Scripting (XSS)

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper sanitization of special characters such as <, >, /, and " in the Diff or Compare functionality. An attacker can execute arbitrary scripts in the context of the user's browser.

How to fix Cross-site Scripting (XSS)?

Upgrade mobsf to version 4.3.0 or higher.

[,4.3.0)

Arbitrary File Write via Archive Extraction (Zip Slip)

Affected versions of this package are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) via the ar_extract function in the shared_func.py component during the extraction of .a extension files. This vulnerability derives due to improper user input sanitization, allowing an attacker to bypass existing protections using sequences like ....//....//....//.

Exploiting this vulnerability allows an attacker to write arbitrary files to any location on the server by manipulating the file path in the archive.

How to fix Arbitrary File Write via Archive Extraction (Zip Slip)?

Upgrade mobsf to version 4.1.3 or higher.

[,4.1.3)

URL Redirection to Untrusted Site ('Open Redirect')

Affected versions of this package are vulnerable to URL Redirection to Untrusted Site ('Open Redirect') through the authentication view by manipulating the redirect URL after a successful login.

Note:* This is only exploitable if the authentication feature is enabled.

How to fix URL Redirection to Untrusted Site ('Open Redirect')?

Upgrade mobsf to version 4.1.3 or higher.

[,4.1.3)

Server-Side Request Forgery (SSRF)

Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF) due to the firebase database check logic. An attacker can cause the server to make connections to internal-only services within the organization's infrastructure by uploading a malicious app to the Static analyzer, enabling internal requests.

How to fix Server-Side Request Forgery (SSRF)?

Upgrade mobsf to version 4.1.3 or higher.

[,4.1.3)

Insecure Permissions

Affected versions of this package are vulnerable to Insecure Permissions due to missing access restrictions. An attacker can append /recent_scans/ to the URL after the homepage and gain access to APK or IPA reports, potentially leading to sensitive information disclosure.

How to fix Insecure Permissions?

There is no fixed version for mobsf.

[0,)

mobsf@3.6.9 vulnerabilities

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.

latest version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically