CVE-2025-58161 is a directory traversal vulnerability identified in version 4.4.0 of the Mobile-Security-Framework (MobSF), a widely used tool for mobile application security testing. The vulnerability arises from improper pathname validation in the GET /download/ route. Specifically, the application uses Python's os.path.commonprefix function to verify that requested file paths reside within the designated download directory (DWD_DIR). However, this method is insufficient because commonprefix operates on a character-by-character basis rather than on path components, allowing attackers to craft paths that appear to share the same prefix but actually point to directories outside the intended download folder. For example, directories named downloads_bak or downloads.old, which share the initial characters with downloads, can be accessed. An authenticated user exploiting this flaw can download arbitrary files from these neighboring directories, leading to unauthorized data disclosure. The vulnerability does not require user interaction beyond authentication and does not affect system integrity or availability directly. It has been addressed in MobSF version 4.4.1 by improving path validation mechanisms to correctly restrict file access to the intended directory. No known exploits are currently reported in the wild, and the CVSS 4.0 base score is low (1.3), reflecting the limited impact and exploitation complexity.

For European organizations using MobSF version 4.4.0, this vulnerability poses a risk of unauthorized disclosure of sensitive files located outside the designated download directory. Since MobSF is a security testing tool, it is often deployed in environments with access to sensitive mobile application data, source code, or security reports. An attacker with valid credentials could leverage this flaw to exfiltrate confidential information, potentially including proprietary code, security assessments, or user data stored in adjacent directories. Although the vulnerability requires authentication, insider threats or compromised credentials could facilitate exploitation. The impact on confidentiality is moderate due to potential data leakage, but integrity and availability remain unaffected. Given the low CVSS score and absence of known exploits, the immediate risk is limited; however, organizations should prioritize patching to prevent potential misuse, especially in regulated sectors such as finance, healthcare, or government where data confidentiality is critical.

European organizations should upgrade MobSF installations from version 4.4.0 to 4.4.1 or later, where the vulnerability is patched. Until upgrade is possible, restrict access to the MobSF application strictly to trusted personnel and enforce strong authentication mechanisms to reduce the risk of credential compromise. Implement network segmentation to isolate MobSF servers from broader enterprise networks and sensitive data repositories. Conduct audits of file system permissions to ensure that directories adjacent to the download directory do not contain sensitive files accessible by MobSF users. Additionally, review and enhance logging and monitoring around file download activities to detect anomalous access patterns indicative of exploitation attempts. Security teams should educate users about the risks of credential sharing and enforce multi-factor authentication to further mitigate unauthorized access. Finally, consider deploying Web Application Firewalls (WAFs) with rules to detect and block suspicious path traversal patterns in HTTP requests targeting the download endpoint.