CVE-2024-29190 HIGH

CVE-2024-29190: MobSF SSRF Vulnerability on assetlinks_check(act_name, well_knowns)

Vendor Mobsf

Product Mobile-Security-Framework-MobSF

Weakness CWE-918 · SSRF

Published March 22, 2024

Last update April 10, 2025

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. In version 3.9.5 Beta and prior, MobSF does not perform any input validation when extracting the hostnames in `android:host`, so requests can also be sent to local hostnames. This can lead to server-side request forgery. An attacker can cause the server to make a connection to internal-only services within the organization's infrastructure. Commit 5a8eeee73c5f504a6c3abdf2a139a13804efdb77 has a hotfix for this issue.

Key dates

02Disclosure timeline

March 22, 2024 CVE published

April 10, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-29190 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/918.html

Related vulnerabilities

CVE-2024-29190: MobSF SSRF Vulnerability on assetlinks_check(act_name, well_knowns)

01Description

02Disclosure timeline

03References

04Related CVE