GHSA-79F6-P65J-3M2M
Vulnerability from github – Published: 2025-02-05 21:14 – Updated: 2025-02-05 21:45Product: Mobile Security Framework (MobSF)
Version: 4.3.0
CWE-ID: CWE-269: Improper Privilege Management
CVSS vector v.4.0: 7.1 (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N)
CVSS vector v.3.1: 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
Description: MobSF has a functionality of dividing users by roles. This functionality is not efficient, because any registered user can get API Token with all privileges.
Impact: Information Disclosure
Vulnerable component: Code output component (/source_code)
Exploitation conditions: authorized user
Mitigation: Remove token output in the returned js-script
Researcher: Egor Filatov (Positive Technologies)
Research
Researcher discovered zero-day vulnerability «Local Privilege Escalation» in Mobile Security Framework (MobSF). To reproduce the vulnerability follow the steps below.
• A user with minimal privileges is required, so the administrator must create a user account
Figure 1. Registration
• Go to static analysis of any application
Figure 2. Static analysis
• Go to the code review of the selected application and get a token with all privileges in the response
Figure 3. Token receiving
• This token can be used to retrieve dynamic analysis information that has not been accessed before.
Figure 4. No access demonstration
Figure 5. Token usage
As a result, the user is able to escalate the privileges.
Please, assign all credits to: Egor Filatov (Positive Technologies)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.3.0"
},
"package": {
"ecosystem": "PyPI",
"name": "mobsf"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-24805"
],
"database_specific": {
"cwe_ids": [
"CWE-269"
],
"github_reviewed": true,
"github_reviewed_at": "2025-02-05T21:14:47Z",
"nvd_published_at": "2025-02-05T19:15:46Z",
"severity": "HIGH"
},
"details": "**Product:** Mobile Security Framework (MobSF)\n**Version:** 4.3.0\n**CWE-ID:** CWE-269: Improper Privilege Management\n**CVSS vector v.4.0:** 7.1 (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N)\n**CVSS vector v.3.1:** 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)\n**Description:** MobSF has a functionality of dividing users by roles. This functionality is not efficient, because any registered user can get API Token with all privileges.\n**Impact:** Information Disclosure \n**Vulnerable component:** Code output component (`/source_code`)\n**Exploitation conditions:** authorized user\n**Mitigation:** Remove token output in the returned js-script\n**Researcher:** Egor Filatov (Positive Technologies)\n\n## Research \n\nResearcher discovered zero-day vulnerability \u00abLocal Privilege Escalation\u00bb in Mobile Security Framework (MobSF).\nTo reproduce the vulnerability follow the steps below.\n\n\u2022\t A user with minimal privileges is required, so the administrator must create a user account\n\n\u003cimg width=\"215\" alt=\"fig1\" src=\"https://github.com/user-attachments/assets/43e02a50-bdd9-48d9-9194-73946fcc56d9\" /\u003e\n\n*Figure 1. Registration*\n\n\u2022\tGo to static analysis of any application\n\n\u003cimg width=\"1207\" alt=\"fig2\" src=\"https://github.com/user-attachments/assets/9ed141a7-a667-4a96-81fd-d81127874104\" /\u003e\n \n*Figure 2. Static analysis*\n\n\u2022\tGo to the code review of the selected application and get a token with all privileges in the response\n\n\u003cimg width=\"1400\" alt=\"fig3\" src=\"https://github.com/user-attachments/assets/bf8b704b-9067-4861-a7d3-05ec119d9a3f\" /\u003e\n \n*Figure 3. Token receiving*\n\n\u2022\tThis token can be used to retrieve dynamic analysis information that has not been accessed before.\n\n\n \n*Figure 4. No access demonstration*\n\n\u003cimg width=\"1412\" alt=\"fig5\" src=\"https://github.com/user-attachments/assets/dc8f639f-36b0-47d3-807d-58ae551fcbfc\" /\u003e\n \n*Figure 5. Token usage*\n\nAs a result, the user is able to escalate the privileges.\n\n\n_______________________\n\n### Please, assign all credits to: Egor Filatov (Positive Technologies)",
"id": "GHSA-79f6-p65j-3m2m",
"modified": "2025-02-05T21:45:40Z",
"published": "2025-02-05T21:14:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-79f6-p65j-3m2m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24805"
},
{
"type": "WEB",
"url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/05206e72cae35b311615a70e51e1a946955c5e83"
},
{
"type": "PACKAGE",
"url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "MobSF Local Privilege Escalation"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.