CVE-2025-24803

Name of the Vulnerable Software and Affected Versions: Mobile Security Framework (MobSF) versions prior to 4.3.1

Description: The issue concerns a stored cross-site scripting (XSS) vulnerability in the iOS Dynamic Analyzer functionality of the Mobile Security Framework (MobSF). According to Apple's documentation, bundle IDs must contain only alphanumeric characters, hyphens, and periods. However, an attacker can manually modify the CFBundleIdentifier value in the Info.plist file to include special characters. The dynamic analysis.html file does not sanitize the received bundle value from Corellium, allowing an attacker to break the HTML context and achieve stored XSS. This could enable an attacker to perform actions as users, including administrative users. The vulnerability can be exploited by uploading a malicious application to Corellium.

Recommendations: For versions prior to 4.3.1, update to version 4.3.1 to resolve the issue. As a temporary workaround, consider using the escapeHtml() function on the bundle variable to sanitize the input. Restrict access to the dynamic analysis.html file to minimize the risk of exploitation. Avoid using the CFBundleIdentifier value in the Info.plist file without proper sanitization until the issue is resolved.