MobSF Security Testing Tool Vulnerability Let Attackers Upload Malicious Files

Cybersecurity: Mobile Security Framework Vulnerabilities

A critical vulnerability in the Mobile Security Framework (MobSF) has been identified. This flaw allows authenticated attackers to upload and execute malicious files by exploiting improper path validation.

The vulnerability is present in version 4.4.0 and has been addressed in version 4.4.1. This issue highlights the necessity of rigorous sanitization when handling user-supplied file paths and archives.

Directory Traversal Vulnerability (CVE-2025-58161)

The initial issue is located in the download handler implemented in MobSF/views/home.py. The function incorrectly concatenates strings to the configured settings.DWD_DIR using Python’s Path API, leading to a potential directory traversal vulnerability.

The Directory Traversal vulnerability (CVE-2025-58161) has a Low severity rating and impacts all installations using version 4.4.0 of the MobSF package.

Absolute Path Slip Vulnerability

A second, more severe vulnerability (CVE-2025-58162) affects the AR archive extraction logic. The ar_extract() function fails to adequately filter out absolute filenames, leading to potential arbitrary file writes.

This vulnerability has a Moderate severity rating and allows attackers to overwrite files outside the intended directory, risking data integrity and service continuity.

Mitigation

These vulnerabilities were discovered by Vasily Leshchenko (Solar AppSec) and noname1337h1. Both issues have been resolved in MobSF 4.4.1, and users are advised to upgrade immediately. Recommended mitigations include:

• Rejecting absolute paths by normalizing input with os.path.isabs() checks.
• Using os.path.commonpath() instead of commonprefix() to enforce directory boundaries.
• Ensuring archive extraction verifies that target paths remain within the intended root directory.