CVE-2025-31116
📋 TL;DR
This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in Mobile Security Framework (MobSF) where the mitigation for a previous SSRF vulnerability (CVE-2024-29190) was insufficient. The valid_host() function uses socket.gethostbyname(), which can be bypassed using DNS rebinding techniques, allowing attackers to make unauthorized requests to internal systems. This affects all users running vulnerable versions of MobSF.
💻 Affected Systems
- Mobile Security Framework (MobSF)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access internal services, exfiltrate sensitive data, or pivot to other internal systems through the compromised MobSF instance.
Likely Case
Unauthorized access to internal HTTP services, port scanning of internal networks, or data exfiltration from internal APIs.
If Mitigated
Limited impact if network segmentation restricts MobSF's network access and proper input validation is implemented.
🎯 Exploit Status
The advisory includes technical details and the fix demonstrates the exploit mechanism. DNS rebinding attacks require specific timing but are well-documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.3.2
Vendor Advisory: https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-fcfq-m8p6-gw56
Restart Required: Yes
Instructions:
1. Backup your current MobSF installation and data. 2. Update to version 4.3.2 or later using: pip install mobsf==4.3.2. 3. Restart the MobSF service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Network Segmentation
allRestrict MobSF's network access to only necessary external resources using firewall rules.
Input Validation Enhancement
allImplement additional validation for host parameters before passing to socket.gethostbyname().
🧯 If You Can't Patch
- Deploy MobSF in a restricted network segment with no access to internal systems
- Implement a web application firewall (WAF) with SSRF protection rules
🔍 How to Verify
Check if Vulnerable:
Check your MobSF version: python -c "import mobsf; print(mobsf.__version__)". If version is below 4.3.2, you are vulnerable.Check Version:
python -c "import mobsf; print(mobsf.__version__)"Verify Fix Applied:
After updating, verify version is 4.3.2 or higher using the same command and test SSRF attempts are blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from MobSF to internal IP addresses
- Multiple DNS resolution failures for suspicious domains
Network Indicators:
- MobSF making requests to internal IP ranges (10.x.x.x, 172.16.x.x, 192.168.x.x)
- Rapid DNS queries followed by HTTP requests
SIEM Query:
source="mobsf.log" AND (dest_ip=10.0.0.0/8 OR dest_ip=172.16.0.0/12 OR dest_ip=192.168.0.0/16)