Vulnerabilities reported in Mobile Security Framework (MobSF)
Take action: This is an unexpected flaw - when the security evaluation product has flaws that can be attacked by the malicious applications it's scanning. Since MobSF is designed to scan for malicious stuff, it's best that you can trust it and not worry whether it can be compromised. So patch it ASAP if you are using it.
Learn More
The Mobile Security Framework (MobSF), a widely utilized security assessment tool for mobile applications, has been found to contain two flaws that affect all versions up to and including 4.3.2.
The flaws could lead to service disruption across organizations and even system compromise and widespread
- CVE-2025-46335 (CVSS score 8.6) - Stored Cross-Site Scripting (XSS). This vulnerability stems from improper sanitization of user-supplied SVG files during Android APK analysis workflows. When an Android Studio project containing a malicious SVG file as an app icon is uploaded to MobSF, the framework extracts the contents without proper validation. The SVG file becomes publicly accessible via the web interface, and if it contains embedded JavaScript code, accessing this URL executes the script in the context of the MobSF user session, enabling attackers to perform actions with the victim's privileges.
- CVE-2025-46730 (CVSS score 6.8) - ZIP bomb. This vulnerability exploits MobSF's ZIP file processing functionality, which lacks checks on the total uncompressed size of uploaded files. The oversight makes the system vulnerable to attacks where a small compressed file (12-15 MB) can expand to consume gigabytes of storage space upon extraction. For example, an attacker could embed a 4.99 GB text file filled with zeros within a seemingly legitimate Android project, potentially exhausting all available server storage with a single request and affecting both MobSF and other applications hosted on the same server.
MobSF is typically deployed on centralized servers in many organizations, often alongside other security tools and web applications. Exploiting of these flaws through malicious applications can compromise MobSF and possibly exploit the users through the stored XSS or fail other applications in the system via the ZIP bomb.
The MobSF development team has acknowledged these security flaws and promptly released patches in version 4.3.3, which became available on May 5, 2025. The fixes include proper sanitization of SVG files and implementation of safeguards against ZIP bombs by checking uncompressed file sizes before extraction.
Users should update their MobSF ASAP.
