CVE-2024-29190 – This CVE describes a server-side request forger... (How to Fix)

Q: What is the severity of CVE-2024-29190?

CVE-2024-29190 has a CVSS score of 7.5 (HIGH). This CVE describes a server-side request forgery (SSRF) vulnerability in Mobile Security Framework (MobSF) versions 3.9.5 Beta and prior. The vulnerability allows attackers to make the MobSF server send requests to internal network services by exploiting improper input validation when extracting hostnames from Android manifest files. Organizations using vulnerable MobSF instances for mobile app security testing are affected.

📋 TL;DR

This CVE describes a server-side request forgery (SSRF) vulnerability in Mobile Security Framework (MobSF) versions 3.9.5 Beta and prior. The vulnerability allows attackers to make the MobSF server send requests to internal network services by exploiting improper input validation when extracting hostnames from Android manifest files. Organizations using vulnerable MobSF instances for mobile app security testing are affected.

💻 Affected Systems

Products:

Mobile Security Framework (MobSF)

Versions: 3.9.5 Beta and prior versions

Operating Systems: All platforms where MobSF runs

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects MobSF instances that process Android APK files with the vulnerable hostname extraction functionality.

📦 What is this software?

Mobile Security Framework by Opensecurity

View all CVEs affecting Mobile Security Framework →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could leverage the SSRF to access sensitive internal services, potentially leading to data exfiltration, internal network reconnaissance, or chaining with other vulnerabilities to achieve remote code execution.

🟠

Likely Case

Attackers could scan internal networks, access metadata services, or interact with internal APIs that shouldn't be exposed externally, potentially compromising internal systems.

🟢

If Mitigated

With proper network segmentation and access controls, the impact would be limited to the specific network segment where MobSF is deployed.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires an attacker to submit a malicious APK file for analysis, but no authentication is required to trigger the SSRF.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit 5a8eeee73c5f504a6c3abdf2a139a13804efdb77 and later versions

Vendor Advisory: https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-wfgj-wrgh-h3r3

Restart Required: Yes

Instructions:

1. Update MobSF to the latest version from GitHub. 2. Apply commit 5a8eeee73c5f504a6c3abdf2a139a13804efdb77 if using source. 3. Restart the MobSF service.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate MobSF instances in a restricted network segment with limited outbound access

Input Validation Proxy

all

Deploy a reverse proxy that validates and filters hostname parameters before they reach MobSF

🧯 If You Can't Patch

Restrict network egress from MobSF instances to only necessary external services
Implement strict firewall rules to block MobSF from accessing internal network segments

🔍 How to Verify

Check if Vulnerable:

Check if MobSF version is 3.9.5 Beta or earlier by examining the version in the web interface or checking the installation directory

Check Version:

Check MobSF web interface or run: python manage.py --version in MobSF directory

Verify Fix Applied:

Verify that commit 5a8eeee73c5f504a6c3abdf2a139a13804efdb77 is applied or that you're running a version after 3.9.5 Beta

📡 Detection & Monitoring

Log Indicators:

Unusual outbound HTTP requests from MobSF server to internal IP addresses
Multiple failed connection attempts to internal services

Network Indicators:

HTTP traffic from MobSF server to internal network ranges (10.x.x.x, 172.16.x.x, 192.168.x.x)
Unusual port scanning patterns originating from MobSF server

SIEM Query:

source_ip=MobSF_server AND dest_ip IN (RFC1918_ranges) AND protocol=HTTP

📊 Metadata

CVE ID: CVE-2024-29190

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-918

Published: March 22, 2024

Last Updated: June 30, 2025

🔗 References

https://drive.google.com/file/d/1nbKMd2sKosbJef5Mh4DxjcHcQ8Hw0BNR/view?usp=share_link Permissions Required
https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/5a8eeee73c5f504a6c3abdf2a139a13804efdb77 Patch
https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-wfgj-wrgh-h3r3 Exploit,Vendor Advisory
https://drive.google.com/file/d/1nbKMd2sKosbJef5Mh4DxjcHcQ8Hw0BNR/view?usp=share_link Permissions Required
https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/5a8eeee73c5f504a6c3abdf2a139a13804efdb77 Patch
https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-wfgj-wrgh-h3r3 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-29190, you might also want to check these: