CVE-2025-24803
published 2025-02-05CVE-2025-24803: Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment…
PriorityP425medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.36%
27.7th percentile
Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework. According to Apple's documentation for bundle ID's, it must contain only alphanumeric characters (A–Z, a–z, and 0–9), hyphens (-), and periods (.). However, an attacker can manually modify this value in the `Info.plist` file and add special characters to the `CFBundleIdentifier` value. The `dynamic_analysis.html` file does not sanitize the received bundle value from Corellium and as a result, it is possible to break the HTML context and achieve Stored XSS. This issue has been addressed in version 4.3.1 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mobsf | mobile-security-framework-mobsf | — | — |
| opensecurity | mobile_security_framework | — | — |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv4.08.4HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
MobSF Stored Cross-Site Scripting (XSS)
osv·2025-02-05
CVE-2025-24803 [HIGH] MobSF Stored Cross-Site Scripting (XSS)
MobSF Stored Cross-Site Scripting (XSS)
**Product:** MobSF
**Version:** CFBundleIdentifier` value.
In the `dynamic_analysis.html` file you do not sanitize received bundle value from Corellium
https://github.com/MobSF/Mobile-Security-Framework-MobSF/blob/d1d3b7a9aeb1a8c8c7c229a3455b19ade9fa8fe0/mobsf/templates/dynamic_analysis/ios/dynamic_analysis.html#L406
*Figure 1. Unsanitized bundle*
As a result, it is possible to break the HTML context and achieve Stored XSS.
## Vulnerability reproduction
To reproduce the vulnerability, follow the steps described below.
• Unzip the IPA file of any iOS application.
*Listing 1. Unzipping the file*
```
unzip test.ipa
```
• Modify the value of `CFBundleIdentifier` by adding restricted characters in the `Info.plist` file.
*Figure 2. Example of the
GHSA
MobSF Stored Cross-Site Scripting (XSS)
ghsa·2025-02-05
CVE-2025-24803 [HIGH] CWE-79 MobSF Stored Cross-Site Scripting (XSS)
MobSF Stored Cross-Site Scripting (XSS)
**Product:** MobSF
**Version:** CFBundleIdentifier` value.
In the `dynamic_analysis.html` file you do not sanitize received bundle value from Corellium
https://github.com/MobSF/Mobile-Security-Framework-MobSF/blob/d1d3b7a9aeb1a8c8c7c229a3455b19ade9fa8fe0/mobsf/templates/dynamic_analysis/ios/dynamic_analysis.html#L406
*Figure 1. Unsanitized bundle*
As a result, it is possible to break the HTML context and achieve Stored XSS.
## Vulnerability reproduction
To reproduce the vulnerability, follow the steps described below.
• Unzip the IPA file of any iOS application.
*Listing 1. Unzipping the file*
```
unzip test.ipa
```
• Modify the value of `CFBundleIdentifier` by adding restricted characters in the `Info.plist` file.
*Figure 2. Example of the
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://developer.apple.com/documentation/bundleresources/information-property-list/cfbundleidentifierhttps://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/05206e72cae35b311615a70e51e1a946955c5e83https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-cxqq-w3x5-7ph3
2025-02-05
Published