CVE-2025-58162
published 2025-09-02CVE-2025-58162: MobSF is a mobile application security testing tool used. In version 4.4.0, an authenticated user who uploaded a specially prepared one.a, can write arbitrary…
PriorityP338medium6.5CVSS 3.1
AVNACLPRHUINSUCNIHAH
EPSS
0.56%
42.3th percentile
MobSF is a mobile application security testing tool used. In version 4.4.0, an authenticated user who uploaded a specially prepared one.a, can write arbitrary files to any directory writable by the user of the MobSF process. This issue has been patched in version 4.4.1.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mobsf | mobile-security-framework-mobsf | — | — |
| opensecurity | mobile_security_framework | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
MobSF Vulnerable to Arbitrary File Write (AR-Slip) via Absolute Path in .a Extraction
osv·2025-09-02
CVE-2025-58162 [MEDIUM] MobSF Vulnerable to Arbitrary File Write (AR-Slip) via Absolute Path in .a Extraction
MobSF Vulnerable to Arbitrary File Write (AR-Slip) via Absolute Path in .a Extraction
### Summary
The vulnerability allows any user to overwrite any files available under the account privileges of the running process.
### Details
As part of static analysis, iOS MobSF supports loading and parsing statically linked libraries `.a`. When parsing such archives, the code extracts the embedded objects to the file system in the working directory of the analysis. The problem is that the current implementation does not prohibit absolute file names inside `.a`. If an archive item has a name like /abs/path/to/file, the resulting path is constructed as Path(dst) /name; for absolute paths, this leads to a complete substitution of the destination directory: writing occurs directly to the specified abso
GHSA
MobSF Vulnerable to Arbitrary File Write (AR-Slip) via Absolute Path in .a Extraction
ghsa·2025-09-02
CVE-2025-58162 [MEDIUM] CWE-22 MobSF Vulnerable to Arbitrary File Write (AR-Slip) via Absolute Path in .a Extraction
MobSF Vulnerable to Arbitrary File Write (AR-Slip) via Absolute Path in .a Extraction
### Summary
The vulnerability allows any user to overwrite any files available under the account privileges of the running process.
### Details
As part of static analysis, iOS MobSF supports loading and parsing statically linked libraries `.a`. When parsing such archives, the code extracts the embedded objects to the file system in the working directory of the analysis. The problem is that the current implementation does not prohibit absolute file names inside `.a`. If an archive item has a name like /abs/path/to/file, the resulting path is constructed as Path(dst) /name; for absolute paths, this leads to a complete substitution of the destination directory: writing occurs directly to the specified abso
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-09-02
Published