CVE-2025-46335 – A stored cross-site scripting (XSS) vulnerabili... (How to Fix)

Q: What is the severity of CVE-2025-46335?

CVE-2025-46335 has a CVSS score of 5.4 (MEDIUM). A stored cross-site scripting (XSS) vulnerability in Mobile Security Framework (MobSF) allows attackers to inject malicious scripts via SVG files during Android APK analysis. When exploited, this could enable session hijacking, credential theft, or unauthorized actions within the MobSF interface. Users running MobSF versions up to 4.3.2 are affected.

📋 TL;DR

A stored cross-site scripting (XSS) vulnerability in Mobile Security Framework (MobSF) allows attackers to inject malicious scripts via SVG files during Android APK analysis. When exploited, this could enable session hijacking, credential theft, or unauthorized actions within the MobSF interface. Users running MobSF versions up to 4.3.2 are affected.

💻 Affected Systems

Products:

Mobile Security Framework (MobSF)

Versions: Up to and including 4.3.2

Operating Systems: Any OS running MobSF

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability requires SVG file upload during Android APK analysis workflow.

📦 What is this software?

Mobile Security Framework by Opensecurity

View all CVEs affecting Mobile Security Framework →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains administrative access to MobSF instance, steals sensitive mobile app analysis data, or compromises the server hosting MobSF.

🟠

Likely Case

Attacker hijacks user sessions, steals authentication cookies, or performs unauthorized actions within the MobSF web interface.

🟢

If Mitigated

Script execution is contained within the browser sandbox, limiting impact to the specific user session.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires uploading a malicious SVG file to the MobSF instance, which requires access to the analysis interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.3.3

Vendor Advisory: https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-mwfg-948f-2cc5

Restart Required: Yes

Instructions:

1. Backup current MobSF configuration and data. 2. Update MobSF to version 4.3.3 using pip: 'pip install --upgrade mobsf==4.3.3'. 3. Restart the MobSF service. 4. Verify the update completed successfully.

🔧 Temporary Workarounds

Disable SVG file upload

all

Modify MobSF configuration to reject SVG files during APK analysis

Edit MobSF configuration to add SVG to blocked file types list

Implement WAF rules

all

Add web application firewall rules to block malicious SVG content

Add WAF rule to inspect and block SVG files with script tags

🧯 If You Can't Patch

Restrict access to MobSF interface to trusted users only
Implement content security policy headers to restrict script execution

🔍 How to Verify

Check if Vulnerable:

Check MobSF version: 'mobsf --version' or examine package metadata. If version is 4.3.2 or lower, system is vulnerable.

Check Version:

mobsf --version

Verify Fix Applied:

After updating, verify version is 4.3.3 or higher and test SVG file upload functionality.

📡 Detection & Monitoring

Log Indicators:

Unusual SVG file uploads
Multiple failed SVG upload attempts
Suspicious user agent strings during file upload

Network Indicators:

POST requests with SVG content containing script tags
Unusual outbound connections from MobSF server

SIEM Query:

source="mobsf.log" AND ("svg" OR ".svg") AND ("upload" OR "POST")

📊 Metadata

CVE ID: CVE-2025-46335

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.05% exploit probability (15.3th percentile)

Published: May 5, 2025

Last Updated: May 28, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-46335, you might also want to check these: