CVE-2024-29190 Overview
CVE-2024-29190 is a Server-Side Request Forgery (SSRF) vulnerability affecting Mobile Security Framework (MobSF), an open-source pen-testing, malware analysis, and security assessment framework. The flaw exists in MobSF version 3.9.5 Beta and prior, where the application fails to perform input validation when extracting hostnames from the android:host attribute during static analysis of Android applications. Attackers can craft malicious Android manifests that force the MobSF server to issue requests to internal-only services within an organization's infrastructure. The issue is tracked under CWE-918 and was addressed via commit 5a8eeee73c5f504a6c3abdf2a139a13804efdb77.
Critical Impact
Unauthenticated attackers can pivot through MobSF to reach internal services, exposing sensitive metadata endpoints, admin interfaces, and cloud instance APIs that are otherwise unreachable from the internet.
Affected Products
- OpenSecurity Mobile Security Framework (MobSF) version 3.9.5 Beta
- OpenSecurity Mobile Security Framework (MobSF) all prior versions
- Deployments scanning untrusted Android APK samples
Discovery Timeline
- 2024-03-22 - CVE-2024-29190 published to the National Vulnerability Database
- 2025-06-30 - Last updated in NVD database
Technical Details for CVE-2024-29190
Vulnerability Analysis
The vulnerability resides in the static analysis routine that parses Android manifest files. During analysis, MobSF extracts hostname values from the android:host attribute of intent filters and uses them to construct outbound HTTP requests. The parsing logic accepts arbitrary string values without filtering against an allowlist or rejecting internal address ranges. As a result, an attacker who submits a crafted APK to MobSF can direct the server to connect to 127.0.0.1, RFC1918 ranges, or cloud metadata services such as 169.254.169.254.
The flaw produces a classic blind SSRF condition. Because MobSF performs scanning under privileged contexts and is frequently deployed inside corporate networks or CI/CD pipelines, the requests originate from a trusted internal source. Attackers can enumerate internal hosts, fingerprint services, and in cloud environments retrieve temporary credentials from instance metadata endpoints.
Root Cause
The root cause is missing input validation on user-controlled data parsed from APK manifests. The android:host value flows directly into the network request layer without sanitization, hostname resolution checks, or restrictions on the resolved IP ranges. This is a textbook CWE-918 Server-Side Request Forgery defect.
Attack Vector
Exploitation requires an attacker to submit a malicious APK to a MobSF instance for static analysis. No authentication is required when MobSF is exposed without access controls, and no user interaction is required beyond the standard scan invocation. The attacker embeds an intent filter referencing an internal hostname or IP in the AndroidManifest.xml data element. When MobSF parses the manifest, it issues outbound traffic to the attacker-specified destination. See the GitHub Security Advisory GHSA-wfgj-wrgh-h3r3 for additional technical context.
Detection Methods for CVE-2024-29190
Indicators of Compromise
- Outbound HTTP connections from the MobSF host to internal IP ranges (127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) during APK scans
- Connections from the MobSF host to cloud metadata endpoints such as 169.254.169.254
- Unexpected DNS resolutions for internal hostnames triggered by the MobSF process
Detection Strategies
- Inspect submitted APK manifests for android:host values referencing private IP literals or internal DNS names
- Correlate MobSF process network telemetry with scan job identifiers to surface anomalous destinations
- Alert on MobSF-originated traffic that bypasses the configured outbound proxy or egress controls
Monitoring Recommendations
- Forward MobSF application logs and host network logs to a centralized SIEM for retention and correlation
- Baseline normal MobSF outbound destinations and flag deviations to internal address space
- Monitor cloud audit logs for metadata service access from any host running MobSF
How to Mitigate CVE-2024-29190
Immediate Actions Required
- Upgrade MobSF to a version that includes commit 5a8eeee73c5f504a6c3abdf2a139a13804efdb77 or later
- Restrict network access from MobSF servers to internal subnets and cloud metadata endpoints using host-based or network firewalls
- Place MobSF behind authentication and limit APK submission to trusted analysts only
Patch Information
The MobSF maintainers published a hotfix in commit 5a8eeee73c5f504a6c3abdf2a139a13804efdb77. The fix introduces validation on hostnames extracted from android:host to block requests targeting internal-only destinations. Administrators should pull the patched build from the official repository and redeploy any analysis workers.
Workarounds
- Deploy MobSF inside an isolated network segment with no route to production internal services or cloud metadata APIs
- Configure an egress proxy that enforces an allowlist of permitted external destinations for MobSF traffic
- Disable IMDSv1 and require IMDSv2 with hop-limit 1 on cloud instances hosting MobSF to limit metadata exposure
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
