CVE-2025-46335: 
Python vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability (CVE-2025-46335) was discovered in Mobile Security Framework (MobSF) versions up to and including 4.3.2. The vulnerability was disclosed on May 5, 2025, affecting the Android APK analysis workflow component of this security research platform that supports Android, iOS, and Windows Mobile applications. The issue was patched in version 4.3.3 (NVD, GitHub Advisory).

The vulnerability stems from improper sanitization of user-supplied SVG files during the Android APK analysis workflow. When an Android Studio project containing a malicious SVG file as an app icon (e.g., /app/src/main/res/mipmap-hdpi/ic_launcher.svg) is uploaded to MobSF, the tool processes and extracts the contents without proper validation. The vulnerability has been assigned a CVSS v4.0 score of 8.6 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N (GitHub Advisory).

Upon ZIP extraction, the malicious icon file is saved by MobSF to user/.MobSF/downloads/.svg and becomes publicly accessible via the web interface. If the SVG contains embedded JavaScript (e.g., an XSS payload), accessing this URL via a browser leads to the execution of the script in the context of the MobSF user session, potentially compromising the security of the application (Wiz, GitHub Advisory).

The vulnerability has been patched in MobSF version 4.3.3. The fix includes implementation of proper SVG content sanitization using the bleach library to prevent XSS attacks. Users are strongly advised to upgrade to this version to mitigate the risk (GitHub Commit, Wiz).

Security researchers have emphasized the critical nature of this vulnerability, particularly given MobSF's deployment on centralized servers in many organizations, often alongside other critical security tools and web applications. The discovery highlights the importance of continuous security testing, even for security tools themselves (Cybersecurity News).