Mobile Security Framework
CVE-2025-24804
MEDIUM
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework. According to Apple's documentation for bundle ID's, it must contain only alphanumeric characters (A-Z, a-z, and 0-9), hyphens (-), and periods (.). However, an attacker can manually modify this value in the Info.plist file and add special characters to the <key>CFBundleIdentifier</key> value. When the application parses the wrong characters in the bundle ID, it encounters an error. As a result, it will not display content and will throw a 500 error instead. The only way to make the pages work again is to manually remove the malicious application from the system. This issue has been addressed in version 4.3.1 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
AnalysisAI
Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified under CWE-1287. Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework. According to Apple's documentation for bundle ID's, it must contain only alphanumeric characters (A-Z, a-z, and 0-9), hyphens (-), and periods (.). However, an attacker can manually modify this value in the Info.plist file and add special characters to the <key>CFBundleIdentifier</key> value. When the application parses the wrong characters in the bundle ID, it encounters an error. As a result, it will not display content and will throw a 500 error instead. The only way to make the pages work again is to manually remove the malicious application from the system. This issue has been addressed in version 4.3.1 and all users are advised to upgrade. There are no known workarounds for this vulnerability. Affected products include: Opensecurity Mobile Security Framework. Version information: version 4.3.1.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
More in Mobile Security Framework
View allMobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framework capable of perfor
Mobile Security Framework (MobSF) is a security research platform for mobile applications in Android, iOS and Windows Mo
MobSF versions prior to 4.4.5 are vulnerable to stored XSS through unsanitized rendering of Android manifest attributes
Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framework capable of perfor
Mobile Security Framework (MobSF) <=v3.7.8 Beta is vulnerable to Insecure Permissions. Rated high severity (CVSS 7.5), t
Mobile Security Framework (MobSF) v0.9.2 and below was discovered to contain a local file inclusion (LFI) vulnerability
MobSF is a mobile application security testing tool used. Rated medium severity (CVSS 6.8), this vulnerability is remote
Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framework capable of perfor
Mobile Security Framework (MobSF) is a security research platform for mobile applications in Android, iOS and Windows Mo
Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framework capable of perfor
Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framework capable of perfor
MobSF is a mobile application security testing tool used. Rated low severity (CVSS 1.3), this vulnerability is remotely
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today