CVE-2025-24803: MobSF Stored Cross-Site Scripting (XSS)
Product: MobSF
Version: < 4.3.1
CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
CVSS vector v.4.0: 8.5 (AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N)
CVSS vector v.3.1: 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N)
Description: Stored XSS in the iOS Dynamic Analyzer functionality.
Impact: Leveraging this vulnerability would enable performing actions as users, including administrative users.
Vulnerable component: dynamic_analysis.html
https://github.com/MobSF/Mobile-Security-Framework-MobSF/blob/d1d3b7a9aeb1a8c8c7c229a3455b19ade9fa8fe0/mobsf/templates/dynamic_analysis/ios/dynamic_analysis.html#L406
Exploitation conditions: A malicious application was uploaded to the Correlium.
Mitigation: Use escapeHtml()
function on the bundle
variable.
Researcher: Oleg Surnin (Positive Technologies)
References
- developer.apple.com/documentation/bundleresources/information-property-list/cfbundleidentifier
- github.com/MobSF/Mobile-Security-Framework-MobSF
- github.com/MobSF/Mobile-Security-Framework-MobSF/blob/d1d3b7a9aeb1a8c8c7c229a3455b19ade9fa8fe0/mobsf/templates/dynamic_analysis/ios/dynamic_analysis.html
- github.com/MobSF/Mobile-Security-Framework-MobSF/commit/05206e72cae35b311615a70e51e1a946955c5e83
- github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-cxqq-w3x5-7ph3
- github.com/advisories/GHSA-cxqq-w3x5-7ph3
- nvd.nist.gov/vuln/detail/CVE-2025-24803
Detect and mitigate CVE-2025-24803 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →