Stored XSS Vulnerability in Mobile Security Framework by MobSF
CVE-2025-24803

8.4HIGH

Key Information:

Vendor: Mobsf
Status: Mobile-security-framework-mobsf
Vendor: CVE Published:; 5 February 2025

What is CVE-2025-24803?

Mobile Security Framework (MobSF) contains a vulnerability that allows attackers to exploit a poorly sanitized CFBundleIdentifier value in the Info.plist file. This flaw stems from the ability to introduce special characters into the bundle ID, enabling the execution of Stored XSS through the dynamic_analysis.html file. The vulnerability affects multiple mobile platforms, emphasizing the need for users to upgrade to version 4.3.1 to mitigate the risk. No workarounds are available for this issue.

Affected Version(s)

Mobile-Security-Framework-MobSF = 4.3.0

References

https://github.com/MobSF/Mobile-Security-Framework-MobSF/...

x_refsource_CONFIRM

https://github.com/MobSF/Mobile-Security-Framework-MobSF/...

x_refsource_MISC

https://developer.apple.com/documentation/bundleresources...

x_refsource_MISC

CVSS V4

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 5, 2025
Vulnerability Reserved
Jan 23, 2025

Mobsf

What is CVE-2025-24803?

Affected Version(s)

References

CVSS V4

Timeline