CVE-2024-54000 HIGH

CVE-2024-54000: Mobile Security Framework (MobSF) bypass of SSRF fix

Vendor Mobsf
Product Mobile-Security-Framework-MobSF
Weakness CWE-918 · SSRF
Published December 3, 2024
Last update December 3, 2024
View on NVD All CVEs

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. In versions prior to 3.9.7, the requests.get() request in the _check_url method is specified as allow_redirects=True, which allows a server-side request forgery when a request to .well-known/assetlinks.json" returns a 302 redirect. This is a bypass of the fix for CVE-2024-29190 and is fixed in 3.9.7.

Key dates

02Disclosure timeline

December 3, 2024 CVE published
December 3, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-13796 deco-cx apps Parameter analyticsScript.ts AnalyticsScript server-side request forgery CVE-2024-51981 Unauthenticated Server Side Request Forgery (SSRF) via WS-Eventing affecting multiple models from Brother Industries, Ltd, FUJIFILM Business Innovation, Ricoh, and Toshiba Tec, and Konica Minolta, Inc. CVE-2026-27488 OpenClaw hardened cron webhook delivery against SSRF CVE-2025-3192 CVE-2026-56285 Nitter - Server-Side Request Forgery in /video Media Proxy Endpoint