Security Policy

Keeping MobSF updated to the latest version is essential for ensuring security and stability.

Reporting a Vulnerability

Please report all security issues here or email ajin25(gmail). We believe in coordinated and responsible disclosure.

Vulnerability	Affected Versions
Arbitrary File Write (AR-Slip) via Absolute Path in .a Extraction	`<=4.4.0`
Path Traversal in GET /download/`<filename>` using absolute filenames in MobSF data directory)	`<=4.4.0`
Zip bomb Denial of Service (DoS) via Resource Exhaustion (Disk Space)	`<=4.3.2`
Stored Cross Site Scripting (XSS) via malicious SVG app icon	`<=4.3.2`
SSRF on assetlinks_check with DNS Rebinding	`<=4.3.1`
Partial Denial of Service due to strict regex check in iOS report view URL	`<=4.3.0`
Local Privilege escalation due to leaked REST API key in web UI	`<=4.3.0`
Stored Cross-Site Scripting in iOS dynamic_analysis view via `bundle` id	`<=4.3.0`
Stored Cross-Site Scripting Vulnerability in Recent Scans "Diff or Compare"	`<=4.2.8`
Zip Slip Vulnerability in .a extraction	`<=4.0.6`
Open Redirect in Login redirect	`<=4.0.4`
SSRF in firebase database check	`<=3.9.7`
SSRF in AppLink check via abusing url redirect	`<=3.9.6`
SSRF in AppLink check via crafted android:host	`<=3.9.5`
Arbitrary Local file read in APK icon resource	`>=1.0.4, <=3.9.2`
Remote Code Execution via arbitrary file overwrite vulnerability in apktool <2.9.2, [CVE-2024-21633]	`<=3.9.1`
Arbitrary Local file read regression	`<3.0.0`
Upload a malicious zip file can overwrite arbitary files	`>=0.9.3.2, <=0.9.4.1`
Arbitrary Local file read	`<=0.9.2`