Directory Traversal Vulnerability in MobSF Mobile Application Security Testing Tool
CVE-2025-58161

1.3LOW

Key Information:

Vendor: Mobsf
Status: Mobile-security-framework-mobsf
Vendor: CVE Published:; 2 September 2025

What is CVE-2025-58161?

MobSF, a mobile application security testing framework, presents a directory traversal vulnerability in version 4.4.0. The flaw arises from improper handling of file path verification in the GET /download/ route, allowing an authenticated user to access files stored outside the designated download directory (DWD_DIR) by leveraging relative path structures. This could lead to unauthorized access to sensitive information, as users can retrieve files from adjacent directories that share a common prefix with the DWD_DIR path. The issue has been addressed in version 4.4.1, emphasizing the importance of timely updates to mitigate security risks.

Affected Version(s)

Mobile-Security-Framework-MobSF = 4.4.0

References

https://github.com/MobSF/Mobile-Security-Framework-MobSF/...

x_refsource_CONFIRM

https://github.com/MobSF/Mobile-Security-Framework-MobSF/...

x_refsource_MISC

https://github.com/MobSF/Mobile-Security-Framework-MobSF/...

x_refsource_MISC

CVSS V4

Score:

1.3

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 2, 2025
Vulnerability Reserved
Aug 27, 2025

Mobsf

What is CVE-2025-58161?

Affected Version(s)

References

CVSS V4

Timeline