CVE-2025-24805

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework. A local user with minimal privileges is able to make use of an access token for materials for scopes which it should not be accepted. This issue has been addressed in version 4.3.1 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/05206e72cae35b311615a70e51e1a946955c5e83	Patch
https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-79f6-p65j-3m2m	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:opensecurity:mobile_security_framework:*:*:*:*:*:*:*:*

History

23 May 2025, 17:01

Type	Values Removed	Values Added
First Time		Opensecurity Opensecurity mobile Security Framework
References	~~() https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/05206e72cae35b311615a70e51e1a946955c5e83 -~~	() https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/05206e72cae35b311615a70e51e1a946955c5e83 - Patch
References	~~() https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-79f6-p65j-3m2m -~~	() https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-79f6-p65j-3m2m - Exploit, Vendor Advisory
CPE		cpe:2.3:a:opensecurity:mobile_security_framework::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.5
CWE		NVD-CWE-noinfo
Summary		(es) Mobile Security Framework (MobSF) es un framework automatizado y todo en uno para pruebas de penetración, análisis de malware y evaluación de seguridad de aplicaciones móviles (Android/iOS/Windows). Un usuario local con privilegios mínimos puede utilizar un token de acceso para acceder a materiales de ámbitos que no deberían aceptarse. Este problema se ha solucionado en la versión 4.3.1 y se recomienda a todos los usuarios que actualicen la versión. No se conocen workarounds para esta vulnerabilidad.

05 Feb 2025, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-02-05 19:15

Updated : 2025-05-23 17:01

NVD link : CVE-2025-24805

Mitre link : CVE-2025-24805

CVE.ORG link : CVE-2025-24805

JSON object : View

Products Affected

opensecurity

mobile_security_framework

CWE

CWE-269

Improper Privilege Management

NVD-CWE-noinfo

5.5 /10