CVE-2025-24803

MEDIUM

Opensecurity Mobile Security Framework < 4.3.1 - XSS

Title source: rule

Description

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework. According to Apple's documentation for bundle ID's, it must contain only alphanumeric characters (A–Z, a–z, and 0–9), hyphens (-), and periods (.). However, an attacker can manually modify this value in the `Info.plist` file and add special characters to the `<key>CFBundleIdentifier</key>` value. The `dynamic_analysis.html` file does not sanitize the received bundle value from Corellium and as a result, it is possible to break the HTML context and achieve Stored XSS. This issue has been addressed in version 4.3.1 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

References (3)

Core 3

Core References

Exploit, Vendor Advisory x_refsource_confirm

https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-cxqq-w3x5-7ph3

Patch x_refsource_misc

https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/05206e72cae35b311615a70e51e1a946955c5e83

View Patch ZIP pw:eip

Technical Description x_refsource_misc

https://developer.apple.com/documentation/bundleresources/information-property-list/cfbundleidentifier

Scores

CVSS v3 5.4

EPSS 0.0051

EPSS Percentile 66.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-79

Status published

Products (2)

opensecurity/mobile_security_framework 4.3.0

pypi/mobsf 0 - 4.3.1PyPI

Published Feb 05, 2025

Tracked Since Feb 18, 2026