Path Traversal in Mobsf Mobile-security-framework-mobsf

CVE-2025-58161

MobSF is a mobile application security testing tool used. In version 4.4.0, the GET /download/ route uses string path verification via os.path.commonprefix, which allows an authenticated user to download files outside the DWD_DIR download…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.002 (41.9th percentile) — read the EPSS interpretation.

Affected products

Mobsf Mobile-security-framework-mobsf — versions = 4.4.0

Weakness classification (CWE)

CWE-22 — Path Traversal

References

https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-ccc3-fvfx-mw3v (x_refsource_CONFIRM)
https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/7f3bc086c028c1b50889cab8a15f7b59b7abdaf9 (x_refsource_MISC)
https://github.com/MobSF/Mobile-Security-Framework-MobSF/releases/tag/v4.4.1 (x_refsource_MISC)