CVE-2025-46730 Overview
CVE-2025-46730 is a Denial of Service vulnerability affecting MobSF (Mobile Security Framework), a widely-used mobile application security testing tool. The vulnerability exists in the ZIP file upload functionality used for static analysis, where insufficient validation of compressed file sizes allows attackers to exploit a "ZIP of Death" (zip bomb) attack vector.
MobSF is typically deployed on centralized internal or cloud-based servers that host other security tools and web applications. Access to the MobSF web interface is commonly granted to internal security teams, audit teams, and external vendors, making this vulnerability particularly concerning for organizations with shared infrastructure.
Critical Impact
An attacker can craft a specially prepared ZIP file that appears small in compressed form but expands to a massive size upon extraction, exhausting server disk space and causing denial of service not only for MobSF but for all other applications hosted on the same server.
Affected Products
- OpenSecurity Mobile Security Framework versions up to and including 4.3.2
- MobSF deployments accepting ZIP file uploads for static analysis
- Cloud-based mobile security tools built on MobSF core
Discovery Timeline
- 2025-05-05 - CVE-2025-46730 published to NVD
- 2025-09-03 - Last updated in NVD database
Technical Details for CVE-2025-46730
Vulnerability Analysis
This vulnerability is classified under CWE-409 (Improper Handling of Highly Compressed Data). The MobSF application provides a feature allowing users to upload ZIP files for static analysis of mobile applications. Upon upload, these ZIP files are automatically extracted and stored within the MobSF directory structure.
The core issue is that versions up to and including 4.3.2 lack any validation check on the total uncompressed size of uploaded ZIP files before extraction. This oversight creates a classic resource exhaustion condition where a malicious archive with a high compression ratio can consume all available disk space when decompressed.
The attack is network-accessible and requires only low privileges (authenticated user access to the MobSF web interface). No user interaction is required beyond the initial file upload, making exploitation straightforward for any user with upload permissions.
Root Cause
The root cause of this vulnerability is the absence of pre-extraction validation for the total uncompressed size of uploaded ZIP archives. The application trusts the compressed file size rather than calculating or estimating the decompressed footprint before extraction. This allows specially crafted archives with extreme compression ratios to bypass any implicit file size limits based on upload constraints.
Attack Vector
The attack vector involves uploading a maliciously crafted ZIP bomb through the MobSF web interface. An attacker with valid credentials (which could include external vendors or audit teams) can:
- Create a specially crafted ZIP file with extreme compression ratio (e.g., nested archives or highly repetitive data)
- Upload the small compressed file through the normal static analysis workflow
- Trigger extraction which consumes all available disk space
- Cause denial of service for MobSF and any co-hosted applications
The security patch in commit 6987a946485a795f4fd38cebdb4860b368a1995d addresses this issue in version 4.3.3:
logger = logging.getLogger(__name__)
-VERSION = '4.3.2'
+VERSION = '4.3.3'
BANNER = r"""
__ __ _ ____ _____ _ _ _____
| \/ | ___ | |__/ ___|| ___|_ _| || | |___ /
Source: GitHub Commit
Detection Methods for CVE-2025-46730
Indicators of Compromise
- Unusual disk space consumption spikes on servers hosting MobSF
- Large extracted directories in the MobSF storage path following ZIP uploads
- Server crashes or service unavailability following file upload operations
- Log entries showing extraction operations on ZIP files with extremely high compression ratios
Detection Strategies
- Monitor disk usage on MobSF servers and set alerts for rapid consumption patterns
- Implement file upload logging to track ZIP files uploaded for analysis with size metadata
- Review MobSF access logs for suspicious upload activity from unexpected users or IP addresses
- Deploy application-level monitoring to detect extraction processes consuming excessive resources
Monitoring Recommendations
- Configure disk space threshold alerts at 80% and 90% capacity on MobSF servers
- Implement rate limiting on file upload endpoints to slow potential attack progression
- Log and audit all ZIP file uploads including compressed size, user identity, and timestamp
- Monitor extraction process duration and resource consumption for anomaly detection
How to Mitigate CVE-2025-46730
Immediate Actions Required
- Upgrade MobSF to version 4.3.3 or later which includes the security fix
- Review recent upload logs for any suspicious ZIP file submissions
- Audit user accounts with MobSF upload permissions and revoke unnecessary access
- Consider temporarily disabling ZIP upload functionality until patching is complete
Patch Information
The vulnerability is fixed in MobSF version 4.3.3. The security patch is available in commit 6987a946485a795f4fd38cebdb4860b368a1995d. Organizations should update their MobSF installations immediately by pulling the latest version from the official repository.
For detailed patch information, refer to the GitHub Security Advisory and the GitHub Commit.
Workarounds
- Implement a pre-extraction validation check that estimates the uncompressed size of uploaded ZIP files
- Reject any ZIP files where the estimated uncompressed size exceeds a safe threshold (recommended: 100 MB)
- Deploy MobSF on isolated infrastructure separate from other critical applications
- Implement upload file size limits at the web server or reverse proxy level
- Use disk quotas on the MobSF storage directory to limit potential impact
# Example: Set disk quota for MobSF storage directory (Linux)
# This limits the impact of a successful zip bomb attack
sudo setquota -u mobsf_user 0 500M 0 0 /dev/sda1
# Example: Configure nginx upload size limit as additional protection
# Add to nginx server configuration
client_max_body_size 50M;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
