CVE-2025-24805: MobSF Local Privilege Escalation
Product: Mobile Security Framework (MobSF)
Version: 4.3.0
CWE-ID: CWE-269: Improper Privilege Management
CVSS vector v.4.0: 7.1 (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N)
CVSS vector v.3.1: 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
Description: MobSF has a functionality of dividing users by roles. This functionality is not efficient, because any registered user can get API Token with all privileges.
Impact: Information Disclosure
Vulnerable component: Code output component (/source_code)
Exploitation conditions: authorized user
Mitigation: Remove token output in the returned js-script
Researcher: Egor Filatov (Positive Technologies)
References
- github.com/MobSF/Mobile-Security-Framework-MobSF
- github.com/MobSF/Mobile-Security-Framework-MobSF/commit/05206e72cae35b311615a70e51e1a946955c5e83
- github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-79f6-p65j-3m2m
- github.com/advisories/GHSA-79f6-p65j-3m2m
- nvd.nist.gov/vuln/detail/CVE-2025-24805
Detect and mitigate CVE-2025-24805 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →