CVE-2025-24805: 
Python vulnerability analysis and mitigation

Mobile Security Framework (MobSF) version 4.3.0 and earlier contains a local privilege escalation vulnerability (CVE-2025-24805). The vulnerability exists in the authentication mechanism where a local user with minimal privileges can make use of an access token for materials for scopes which it should not be accepted. This issue was discovered on February 5, 2025, and has been addressed in version 4.3.1 (GitHub Advisory).

The vulnerability is classified as CWE-269 (Improper Privilege Management) with a CVSS v4.0 base score of 8.5 (HIGH). The attack vector is Network (AV:N) with Low attack complexity (AC:L) and requires Low privileges (PR:L). The vulnerability allows unauthorized access to privileged functionality through the exploitation of the authentication token system (NVD).

When successfully exploited, this vulnerability allows an attacker to gain unauthorized access to materials and functionality beyond their assigned privilege level. The vulnerability primarily affects the confidentiality and integrity of the system, with High impact on both vectors, while having no direct impact on system availability (GitHub Advisory).

The vulnerability has been patched in MobSF version 4.3.1. All users are advised to upgrade to this version as there are no known workarounds for this vulnerability. The fix involves removing token output in the returned js-script and implementing proper privilege management (GitHub Advisory).