MobSF Vulnerability Allows Attackers to Upload Malicious Files

Critical security flaws discovered in Mobile Security Framework (MobSF) version 4.4.0 enable authenticated attackers to exploit path traversal and arbitrary file write vulnerabilities, potentially compromising system integrity and exposing sensitive data.

Two significant vulnerabilities have been identified in the popular Mobile Security Framework (MobSF), a widely-used open-source mobile application security testing platform.

The flaws, tracked as CVE-2025-58161 and CVE-2025-58162, affect MobSF version 4.4.0 and have been addressed in the patched version 4.4.1.

The security issues stem from inadequate path validation mechanisms in MobSF’s file handling routines.

Both vulnerabilities exploit weaknesses in the platform’s path traversal protection, allowing authenticated users to access or modify files outside designated directories.

CVE-2025-58161: Directory Traversal Vulnerability

The first vulnerability involves a path traversal flaw in the GET /download/<filename> endpoint.

The issue occurs due to MobSF’s reliance on os.path.commonprefix for path verification, which performs string-based comparisons rather than proper path component analysis.

When processing download requests, the system incorrectly validates file paths, allowing authenticated users to access files from “neighboring” directories whose absolute paths share the same string prefix as the intended download directory.

For example, if the legitimate download directory is /home/mobsf/.MobSF/downloads, an attacker could access files from directories like /home/mobsf/.MobSF/downloads_bak or /home/mobsf/.MobSF/downloads.old.

The vulnerability can be exploited by crafting malicious requests with absolute file paths, bypassing the existing relative path traversal protections that only check for ../ patterns.

CVE-2025-58162: Arbitrary File Write Vulnerability

The second, more severe vulnerability enables arbitrary file writing through malicious .a archive files during iOS static analysis.

When MobSF processes statically linked libraries, it extracts embedded objects to the filesystem without properly validating file names within the archive.

Attackers can create specially crafted .a files containing members with absolute path names.

During extraction, MobSF’s Path(dst) / filename operation resolves to the absolute path when the filename begins with / or C:/, effectively bypassing the intended destination directory restrictions.

This vulnerability allows authenticated users to overwrite critical system files, including MobSF’s own database (db.sqlite3), configuration files, or even inject malicious content into web templates for cross-site scripting attacks.

The path traversal vulnerability (CVE-2025-58161) has been assigned a Low severity rating with a CVSS score of 0.0, as it only allows data leakage from sibling directories with specific naming patterns.

However, the arbitrary file write vulnerability (CVE-2025-58162) carries a Moderate severity rating with a CVSS score of 6.0 due to its potential for system compromise.

Successful exploitation of CVE-2025-58162 can result in:

• System malfunction through database corruption
• Analysis result tampering by overwriting artifacts
• Stored cross-site scripting via template modification
• Privilege escalation in misconfigured container environments

Both vulnerabilities require authenticated access to the MobSF platform, limiting their immediate exploitability to users with valid credentials.

The vulnerabilities were discovered by security researcher noname1337h1 (Vasily Leshchenko from Solar AppSec) and responsibly disclosed to the MobSF development team.

The issues have been patched in MobSF version 4.4.1, which implements proper path validation and normalization mechanisms.

Organizations using MobSF are strongly advised to upgrade to version 4.4.1 immediately. The patches address both vulnerabilities by:

• Implementing proper path component comparison instead of string prefix matching
• Rejecting absolute paths in archive extraction routines
• Adding comprehensive path normalization before file operations

The discovery of these vulnerabilities highlights the importance of robust input validation and secure file handling practices in security analysis platforms.

While the immediate risk is limited to authenticated users, the potential for system compromise underscores the critical need for timely security updates in enterprise security tools.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.