ZIP Bomb Vulnerability in MobSF Mobile Application Security Tool
CVE-2025-46730

6.8MEDIUM

Key Information:

Vendor: Mobsf
Status: Mobile-security-framework-mobsf
Vendor: CVE Published:; 5 May 2025

What is CVE-2025-46730?

The MobSF Mobile Security Framework is susceptible to a ZIP Bomb attack due to a lack of validation on the uncompressed size of uploaded ZIP files. This vulnerability permits an attacker to upload a maliciously crafted ZIP file that appears small in size, but when extracted, expands to a large volume, potentially consuming all available disk space on the server. This can result in a denial of service not just for MobSF, but for any other applications or services hosted on the same infrastructure. Organizations relying on MobSF, especially custom implementations, are urged to upgrade to a patched version and implement additional safeguards to monitor and restrict the size of file uploads.

Affected Version(s)

Mobile-Security-Framework-MobSF <= 4.3.2

References

https://github.com/MobSF/Mobile-Security-Framework-MobSF/...

x_refsource_CONFIRM

https://github.com/MobSF/Mobile-Security-Framework-MobSF/...

x_refsource_MISC

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 5, 2025
Vulnerability Reserved
Apr 28, 2025

Mobsf

What is CVE-2025-46730?

Affected Version(s)

References

CVSS V3.1

Timeline