CVE-2025-46335
published 2025-05-05CVE-2025-46335: Mobile Security Framework (MobSF) is a security research platform for mobile applications in Android, iOS and Windows Mobile. A Stored Cross-Site Scripting…
PriorityP425medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.25%
16.3th percentile
Mobile Security Framework (MobSF) is a security research platform for mobile applications in Android, iOS and Windows Mobile. A Stored Cross-Site Scripting (XSS) vulnerability has been identified in MobSF versions up to and including 4.3.2. The vulnerability arises from improper sanitization of user-supplied SVG files during the Android APK analysis workflow. Version 4.3.3 fixes the issue.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mobsf | mobile-security-framework-mobsf | < 4.3.3 | 4.3.3 |
| opensecurity | mobile_security_framework | < 4.3.3 | 4.3.3 |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv4.08.6HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Mobile Security Framework (MobSF) Allows Stored Cross Site Scripting (XSS) via malicious SVG Icon Upload
ghsa·2025-05-05
CVE-2025-46335 [MEDIUM] CWE-79 Mobile Security Framework (MobSF) Allows Stored Cross Site Scripting (XSS) via malicious SVG Icon Upload
Mobile Security Framework (MobSF) Allows Stored Cross Site Scripting (XSS) via malicious SVG Icon Upload
**Vulnerable MobSF Versions:** .svg
This file becomes publicly accessible via the web interface at:
http://127.0.0.1:8081/download/filename.svg
If the SVG contains embedded JavaScript (e.g., an XSS payload), accessing this URL via a browser leads to the execution of the script in the context of the MobSF user session, resulting in stored XSS.
**Proof Of Concept:**
1. Create a malicious SVG file (ic_launcher.svg) with an embedded XSS payload.
2. Place the file in the Android Studio project directory: /app/src/main/res/mipmap-hdpi/ic_launcher.svg
3. Zip the project directory and upload it to MobSF.
4. After the scan, navigate to the "Recent Scans" page in the MobSF web interfa
OSV
Mobile Security Framework (MobSF) Allows Stored Cross Site Scripting (XSS) via malicious SVG Icon Upload
osv·2025-05-05
CVE-2025-46335 [MEDIUM] Mobile Security Framework (MobSF) Allows Stored Cross Site Scripting (XSS) via malicious SVG Icon Upload
Mobile Security Framework (MobSF) Allows Stored Cross Site Scripting (XSS) via malicious SVG Icon Upload
**Vulnerable MobSF Versions:** .svg
This file becomes publicly accessible via the web interface at:
http://127.0.0.1:8081/download/filename.svg
If the SVG contains embedded JavaScript (e.g., an XSS payload), accessing this URL via a browser leads to the execution of the script in the context of the MobSF user session, resulting in stored XSS.
**Proof Of Concept:**
1. Create a malicious SVG file (ic_launcher.svg) with an embedded XSS payload.
2. Place the file in the Android Studio project directory: /app/src/main/res/mipmap-hdpi/ic_launcher.svg
3. Zip the project directory and upload it to MobSF.
4. After the scan, navigate to the "Recent Scans" page in the MobSF web interfa
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-05-05
Published