CVE-2025-24805

Name of the Vulnerable Software and Affected Versions: Mobile Security Framework (MobSF) versions prior to 4.3.1

Description: The issue allows a local user with minimal privileges to use an access token for materials for scopes which it should not be accepted. This is due to improper privilege management, where any registered user can get an API token with all privileges. The vulnerable component is the code output component, and exploitation requires an authorized user. There are no known workarounds for this issue.

Recommendations: For versions prior to 4.3.1, upgrade to version 4.3.1 to address the issue. As a temporary workaround, consider removing token output in the returned js-script to minimize the risk of exploitation. Restrict access to the code output component (/source code) to minimize the risk of exploitation. Avoid using the API token with all privileges in the affected API endpoint until the issue is resolved.