CVE-2025-24803: 
Python vulnerability analysis and mitigation

Mobile Security Framework (MobSF) version 4.3.0 and earlier contains a stored Cross-Site Scripting (XSS) vulnerability in the iOS Dynamic Analyzer functionality. The vulnerability was discovered in February 2025 and assigned CVE-2025-24803. The issue affects the dynamic_analysis.html file which fails to properly sanitize bundle identifier values received from Corellium (GitHub Advisory).

According to Apple's documentation, bundle IDs must contain only alphanumeric characters (A-Z, a-z, 0-9), hyphens (-), and periods (.). However, an attacker can manually modify the CFBundleIdentifier value in the Info.plist file to include special characters. The dynamic_analysis.html file does not sanitize the received bundle value from Corellium, making it possible to break the HTML context and achieve Stored XSS. The vulnerability has been assigned a CVSS v4.0 base score of 8.4 (High) with vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N (GitHub Advisory, Apple Docs).

The successful exploitation of this vulnerability would enable attackers to perform actions as other users, including administrative users. The vulnerability allows for unauthorized access and potential manipulation of user sessions through cross-site scripting attacks (GitHub Advisory).

This vulnerability has been patched in MobSF version 4.3.1. The fix involves implementing proper input sanitization using the escapeHtml() function on the bundle variable. All users are advised to upgrade to version 4.3.1 or later. There are no known workarounds for this vulnerability (GitHub Advisory).