CVE-2025-46730 is a vulnerability in the Mobile-Security-Framework-MobSF, a widely used mobile application security testing tool. MobSF allows users to upload ZIP files for static analysis, which are then automatically extracted and stored on the server. Versions up to and including 4.3.2 do not impose any limits on the total uncompressed size of uploaded ZIP files. This flaw enables a ZIP of Death (zip bomb) attack, where an attacker crafts a maliciously compressed ZIP archive that is small in size but expands to an extremely large size upon extraction. Exploiting this vulnerability can exhaust the server's disk space, resulting in a denial of service (DoS) condition. Since MobSF is often deployed on centralized internal or cloud-based servers that host multiple security tools and web applications, the impact extends beyond MobSF itself, potentially disrupting other critical internal portals and services hosted on the same infrastructure. The vulnerability requires an attacker with at least some level of authenticated access (as indicated by the CVSS vector PR:H) but does not require user interaction. The vulnerability affects confidentiality and integrity minimally but severely impacts availability by causing server resource exhaustion. The issue has been addressed in a commit (6987a946485a795f4fd38cebdb4860b368a1995d) that implements checks on the uncompressed size of ZIP files before extraction. A recommended mitigation is to reject ZIP files whose estimated uncompressed size exceeds a safe threshold (e.g., 100 MB), preventing resource exhaustion. No known exploits are reported in the wild as of now.

For European organizations, this vulnerability poses a significant risk to the availability of internal security infrastructure and related services. Many enterprises and security teams rely on MobSF for mobile application security assessments, often deploying it on shared servers or cloud environments alongside other critical tools. An attacker exploiting this vulnerability could cause widespread disruption by exhausting disk space, leading to denial of service not only for MobSF but also for other applications hosted on the same server. This could delay security testing, audits, and incident response activities, potentially increasing the window of exposure to other threats. Organizations with customized or cloud-based deployments of MobSF are particularly vulnerable, as the attack could cause costly downtime and operational disruptions. Given the medium CVSS score (6.8) and the requirement for some level of authentication, the threat is moderate but should not be underestimated, especially in environments where multiple teams and external vendors have upload access. The lack of confidentiality or integrity impact reduces the risk of data breach but does not diminish the operational impact of service outages.

1. Upgrade MobSF to a version later than 4.3.2 where the vulnerability is patched. 2. Implement strict validation on uploaded ZIP files by checking the total uncompressed size before extraction, rejecting files exceeding a predefined safe threshold (e.g., 100 MB). 3. Restrict upload permissions to trusted users only and enforce strong authentication and access controls to limit the attack surface. 4. Deploy MobSF on isolated servers or containers to prevent collateral damage to other critical applications in case of exploitation. 5. Monitor disk usage and set alerts for unusual spikes in storage consumption to detect potential zip bomb attacks early. 6. Consider implementing rate limiting or file size quotas on uploads to further reduce risk. 7. Regularly audit and review server logs for suspicious upload activity. 8. Educate internal and external users about the risks of uploading untrusted archives.