CVE-2025-46730

Name of the Vulnerable Software and Affected Versions MobSF versions up to and including 4.3.2

Description MobSF is a mobile application security testing tool used by security teams across numerous organizations, typically deployed on centralized internal or cloud-based servers. The tool provides a feature that allows users to upload ZIP files for static analysis, which are automatically extracted and stored within the MobSF directory. However, this functionality lacks a check on the total uncompressed size of the ZIP file, making it vulnerable to a ZIP of Death (zip bomb) attack. An attacker can craft a specially prepared ZIP file that is small in compressed form but expands to a massive size upon extraction, exhausting the server's disk space and leading to a complete denial of service (DoS) not just for MobSF, but also for any other applications or websites hosted on the same server. This vulnerability can lead to complete server disruption in an organization, affecting other internal portals and tools too.

Recommendations For versions up to and including 4.3.2, update to a version that includes the fix, such as the version after commit 6987a946485a795f4fd38cebdb4860b368a1995d. As an additional mitigation, implement a safeguard that checks the total uncompressed size of any uploaded ZIP file before extraction, rejecting files that exceed a safe threshold, such as 100 MB, and notify the user.