CVE-2025-24804: 
Python vulnerability analysis and mitigation

Mobile Security Framework (MobSF) version 4.3.0 and earlier contains a vulnerability in the iOS bundle identifier validation mechanism. The vulnerability was discovered and disclosed on February 5, 2025, affecting the automated mobile application pen-testing and security assessment framework that supports Android, iOS, and Windows platforms (NVD, GitHub Advisory).

The vulnerability stems from insufficient validation of iOS bundle identifiers. According to Apple's documentation, bundle IDs must only contain alphanumeric characters (A-Z, a-z, 0-9), hyphens (-), and periods (.). However, the application's URL routing mechanism used a less restrictive regex pattern that allowed special characters in the bundle identifier. The vulnerability has been assigned a CVSS v4.0 base score of 4.8 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N (GitHub Advisory).

When an attacker modifies the CFBundleIdentifier value in the Info.plist file to include special characters, the application encounters parsing errors. This results in a 500 error response and makes the affected pages inaccessible. The only remediation is to manually remove the malicious application from the system (GitHub Advisory).

The vulnerability has been patched in MobSF version 4.3.1. Users are advised to upgrade to this version or later. There are no known workarounds for this vulnerability (GitHub Commit).