CVE-2023-42261

Vulnerability

Mobile Security Framework (MobSF) versions up to and including 3.7.8 Beta suffer from insecure permissions, as the application does not enforce any authentication mechanism. This design choice means that anyone who can reach the web interface has full access to all features without needing to log in [1]. The vendor explicitly states that authentication is intentionally not implemented because the product is not intended for untrusted network environments [1].

Exploitation

An attacker with network access to the MobSF instance (e.g., on the same local network or via exposed ports) can access the web UI and REST APIs without any credentials. No prior authentication or authorization is required to perform any action, including triggering static or dynamic analysis, uploading files, or viewing results [2][4]. The default Docker Compose configuration exposes port 8000 without any proxy, making the instance directly accessible if deployed as-is [4].

Impact

Successful exploitation grants an attacker complete control over the MobSF instance. They can submit mobile applications for analysis, view analysis reports, access sensitive data from scanned apps, and potentially modify configurations. This can lead to exposure of proprietary application code, credentials, or other confidential information processed by MobSF [1][2].

Mitigation

The vendor recommends deploying MobSF behind a reverse proxy that enforces authentication (e.g., HTTP Basic Auth, OAuth) when used in untrusted networks [1]. No software patch is provided as the vendor considers this behavior by design. Users are advised to follow secure deployment practices and never expose MobSF directly to untrusted networks.