GHSA-mwfg-948f-2cc5

Suggest an improvement
Source
https://github.com/advisories/GHSA-mwfg-948f-2cc5
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-mwfg-948f-2cc5/GHSA-mwfg-948f-2cc5.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-mwfg-948f-2cc5
Aliases
  • CVE-2025-46335
Published
2025-05-05T14:55:59Z
Modified
2025-05-05T22:39:22.006334Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Mobile Security Framework (MobSF) Allows Stored Cross Site Scripting (XSS) via malicious SVG Icon Upload
Details

Vulnerable MobSF Versions: <= v4.3.2

CVSS V4.0 Score: 8.6 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N)

Details: A Stored Cross-Site Scripting (XSS) vulnerability has been identified in MobSF versions ≤ 4.3.2. The vulnerability arises from improper sanitization of user-supplied SVG files during the Android APK analysis workflow.

When an Android Studio project contains a malicious SVG file as an app icon (e.g path, /app/src/main/res/mipmap-hdpi/ic_launcher.svg), and the project is zipped and uploaded to MobSF, the tool processes and extracts the contents without validating or sanitizing the SVG.

Upcon ZIP extraction this icon file is saved by MobSF to: user/.MobSF/downloads/<filename>.svg

This file becomes publicly accessible via the web interface at:

http://127.0.0.1:8081/download/filename.svg

If the SVG contains embedded JavaScript (e.g., an XSS payload), accessing this URL via a browser leads to the execution of the script in the context of the MobSF user session, resulting in stored XSS.

Proof Of Concept:

  1. Create a malicious SVG file (ic_launcher.svg) with an embedded XSS payload.

01

  1. Place the file in the Android Studio project directory: /app/src/main/res/mipmap-hdpi/ic_launcher.svg

02

  1. Zip the project directory and upload it to MobSF.

03

  1. After the scan, navigate to the "Recent Scans" page in the MobSF web interface and click on the scan entry and open the icon file in a new browser tab.

04

  1. The XSS payload is executed, confirming the vulnerability.

05

Database specific
{
    "nvd_published_at": "2025-05-05T19:15:56Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-05T14:55:59Z"
}
References

Affected packages

PyPI / mobsf

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.3.3

Affected versions

3.*

3.2.6
3.2.7
3.2.8
3.2.9
3.3.3
3.3.5
3.4.0
3.4.3
3.4.6
3.5.0
3.6.0
3.6.9
3.7.6
3.9.7

4.*

4.1.3
4.3.0
4.3.2

Database specific

{
    "last_known_affected_version_range": "<= 4.3.2"
}