CVE-2025-24803

CVE-2025-24803 is a high-severity cross-site scripting (XSS) vulnerability in mobsf (pip), affecting versions <= 4.3.0. It is fixed in 4.3.1.

Summary

Product: MobSF
Version: < 4.3.1
CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS vector v.4.0: 8.5 (AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N)
CVSS vector v.3.1: 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N)
Description: Stored XSS in the iOS Dynamic Analyzer functionality.
Impact: Leveraging this vulnerability would enable performing actions as users, including administrative users.
Vulnerable component: dynamic_analysis.html
https://github.com/MobSF/Mobile-Security-Framework-MobSF/blob/d1d3b7a9aeb1a8c8c7c229a3455b19ade9fa8fe0/mobsf/templates/dynamic_analysis/ios/dynamic_analysis.html#L406
Exploitation conditions: A malicious application was uploaded to the Correlium.
Mitigation: Use escapeHtml() function on the bundle variable.
Researcher: Oleg Surnin (Positive Technologies)

Research

Researcher discovered zero-day vulnerability Stored Cross-site Scripting (XSS) in MobSF in iOS Dynamic Analyzer functionality.
According to Apple's documentation for bundle ID's, it must contain only alphanumeric characters (A–Z, a–z, and 0–9), hyphens (-), and periods (.).
(https://developer.apple.com/documentation/bundleresources/information-property-list/cfbundleidentifier)
However, an attacker can manually modify this value in Info.plist file and add special characters to the <key>CFBundleIdentifier</key> value.
In the dynamic_analysis.html file you do not sanitize received bundle value from Corellium
https://github.com/MobSF/Mobile-Security-Framework-MobSF/blob/d1d3b7a9aeb1a8c8c7c229a3455b19ade9fa8fe0/mobsf/templates/dynamic_analysis/ios/dynamic_analysis.html#L406

Figure 1. Unsanitized bundle

As a result, it is possible to break the HTML context and achieve Stored XSS.

Vulnerability reproduction

To reproduce the vulnerability, follow the steps described below.

• Unzip the IPA file of any iOS application.
Listing 1. Unzipping the file

unzip test.ipa

• Modify the value of <key>CFBundleIdentifier</key> by adding restricted characters in the Info.plist file.

Figure 2. Example of the modified Bundle Identifier

• Zip the modified IPA file.

Listing 2. Zipping the file

zip -r xss.ipa Payload/

• Upload the modified IPA file to your virtual device using the Correlium platform.

Figure 3. Example of the uploaded malicious application

• Open the XSS functionality and hover the mouse over the Uninstall button of the malicious app.

Figure 4. Example of the 'Uninstall' button

Figure 5. Example of the XSS

Figure 6. Example of the vulnerable code

Please, assign all credits to: Oleg Surnin (Positive Technologies)

Impact

Untrusted input is rendered as active markup in a victim's browser, which can run script in their session. Typical impact: session or credential theft, and actions taken as the user.

CVE-2025-24803 has a CVSS score of 8.1 (High). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (4.3.1); upgrading removes the vulnerable code path.

Affected versions

mobsf (<= 4.3.0)

Security releases

mobsf → 4.3.1 (pip)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade mobsf to 4.3.1 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2025-24803? CVE-2025-24803 is a high-severity cross-site scripting (XSS) vulnerability in mobsf (pip), affecting versions <= 4.3.0. It is fixed in 4.3.1. Untrusted input is rendered as active markup in a victim's browser, which can run script in their session.
  2. How severe is CVE-2025-24803? CVE-2025-24803 has a CVSS score of 8.1 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of mobsf are affected by CVE-2025-24803? mobsf (pip) versions <= 4.3.0 is affected.
  4. Is there a fix for CVE-2025-24803? Yes. CVE-2025-24803 is fixed in 4.3.1. Upgrade to this version or later.
  5. Is CVE-2025-24803 exploitable, and should I be worried? Whether CVE-2025-24803 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2025-24803 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2025-24803? Upgrade mobsf to 4.3.1 or later.

Other vulnerabilities in mobsf

CVE-2026-24490CVE-2025-58161CVE-2025-58162CVE-2024-54000CVE-2025-46730

Stop the waste.
Protect your environment with Kodem.