CVE-2025-46335 is a high-severity Stored Cross-Site Scripting (XSS) vulnerability affecting the Mobile Security Framework (MobSF) up to version 4.3.2. MobSF is a widely used open-source security research platform designed for analyzing mobile applications across Android, iOS, and Windows Mobile environments. The vulnerability stems from improper sanitization of user-supplied SVG files during the Android APK analysis workflow. Specifically, when MobSF processes SVG files embedded within Android APKs, it fails to neutralize malicious scripts embedded in these SVGs, allowing attackers to inject and store malicious JavaScript code. This stored XSS can then be executed in the context of the MobSF web interface when the malicious SVG is rendered, potentially leading to unauthorized actions such as session hijacking, data theft, or further exploitation of the MobSF server environment. The vulnerability requires no authentication but does require user interaction (e.g., an analyst loading or analyzing a malicious APK containing the crafted SVG). The CVSS 4.0 score of 8.6 reflects the network attack vector, low attack complexity, no privileges required, but user interaction needed, and high impact on confidentiality and integrity, with limited impact on availability. The issue was addressed in MobSF version 4.3.3, which implements proper sanitization of SVG inputs to prevent script injection. No known exploits are currently reported in the wild, but given MobSF's role in security research and mobile app analysis, exploitation could have significant consequences if weaponized.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on MobSF for mobile application security assessments, development, or research. Successful exploitation could lead to unauthorized access to sensitive analysis data, including proprietary mobile app code, security findings, or credentials stored within MobSF. This could compromise the confidentiality and integrity of security assessments and potentially expose organizations to further attacks. Additionally, since MobSF is often used in security teams and by developers, a compromised MobSF instance could serve as a pivot point for attackers to infiltrate internal networks or exfiltrate sensitive intellectual property. The vulnerability's exploitation could disrupt mobile app security workflows, delay vulnerability remediation, and undermine trust in security tools. Given the increasing regulatory focus in Europe on data protection (e.g., GDPR), any data leakage resulting from this vulnerability could also lead to compliance violations and financial penalties.

European organizations using MobSF should immediately upgrade to version 4.3.3 or later to remediate this vulnerability. Beyond patching, organizations should implement strict input validation and sanitization policies for all files processed by MobSF, especially SVGs and other potentially scriptable formats. Running MobSF in isolated, segmented environments with limited network exposure can reduce the risk of lateral movement if compromised. Employing web application firewalls (WAFs) to detect and block malicious payloads targeting the MobSF interface can add an additional layer of defense. Regularly auditing and monitoring MobSF logs for unusual activity or unexpected file uploads can help detect exploitation attempts early. Training security analysts on the risks of processing untrusted APKs and enforcing strict operational security procedures when using MobSF will further reduce exposure. Finally, organizations should consider integrating automated vulnerability scanning and sandboxing of APKs prior to analysis in MobSF to minimize the risk of malicious payloads reaching the analysis platform.