Advisory Database
  • Advisories
  • Dependency Scanning
  1. pypi
  2. ›
  3. mobsfscan
  4. ›
  5. CVE-2024-29190

CVE-2024-29190: SSRF Vulnerability on assetlinks_check(act_name, well_knowns)

March 22, 2024 (updated June 30, 2025)

While examining the “App Link assetlinks.json file could not be found” vulnerability detected by MobSF, we, as the Trendyol Application Security team, noticed that a GET request was sent to the “/.well-known/assetlinks.json” endpoint for all hosts written with “android:host”. In the AndroidManifest.xml file.

Since MobSF does not perform any input validation when extracting the hostnames in “android:host”, requests can also be sent to local hostnames. This may cause SSRF vulnerability.

References

  • drive.google.com/file/d/1nbKMd2sKosbJef5Mh4DxjcHcQ8Hw0BNR/view?usp=share_link
  • github.com/MobSF/Mobile-Security-Framework-MobSF
  • github.com/MobSF/Mobile-Security-Framework-MobSF/commit/5a8eeee73c5f504a6c3abdf2a139a13804efdb77
  • github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-wfgj-wrgh-h3r3
  • github.com/MobSF/mobsfscan/commit/61fd40b477bbf9d204eb8c5a83a86c396d839798
  • github.com/MobSF/mobsfscan/commit/cd01b71770a6e56c1c71b0e5f454e7b6c9c64ef4
  • github.com/advisories/GHSA-wfgj-wrgh-h3r3
  • github.com/pypa/advisory-database/tree/main/vulns/mobsf/PYSEC-2024-257.yaml
  • nvd.nist.gov/vuln/detail/CVE-2024-29190

Code Behaviors & Features

Detect and mitigate CVE-2024-29190 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions before 0.3.8

Fixed versions

  • 0.3.8

Solution

Upgrade to version 0.3.8 or above.

Impact 7.5 HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Learn more about CVSS

Weakness

  • CWE-918: Server-Side Request Forgery (SSRF)

Source file

pypi/mobsfscan/CVE-2024-29190.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Sat, 23 Aug 2025 00:19:41 +0000.