CVE-2022-41547: 
Python vulnerability analysis and mitigation

Mobile Security Framework (MobSF) v0.9.2 and below was discovered to contain a local file inclusion (LFI) vulnerability in the StaticAnalyzer/views.py component. The vulnerability was discovered on October 18, 2022, and affects the ViewSource function. This vulnerability allows attackers to read arbitrary files via a crafted HTTP request (NVD).

The vulnerability exists due to insufficient validation of the 'md5' parameter in the ViewSource function. An attacker could bypass the MD5 validation by using an actual MD5 string at the head of the request followed by a null-byte and directory traversal sequence. The issue stems from the regex pattern '[0-9a-f]{32}' which was not properly bounded, allowing path traversal attacks (GitHub PR).

The vulnerability allows attackers to read arbitrary files on the system through path traversal. For example, on macOS systems, attackers could read sensitive files like /private/etc/passwd, potentially exposing system configuration and user information (GitHub PR).

The vulnerability was fixed by implementing strict boundary checks on the MD5 regex pattern, changing it from '[0-9a-f]{32}' to '^[0-9a-f]{32}$'. Users should upgrade to versions newer than v0.9.2 to receive the security fix (GitHub PR).