N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-58161

GHSA ID

GHSA-ccc3-fvfx-mw3v

EPSS Score

0.49036%

CWE

CWE-22

Published

9/2/2025

Updated

9/2/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-58161

CVE-2025-58161: MobSF Path Traversal in GET /download/<filename> using absolute filenames

Summary

The GET /download/<filename> route uses string path verification via os.path.commonprefix, which allows an authenticated user to download files outside the DWD_DIR download directory from "neighboring" directories whose absolute paths begin with the same prefix as DWD_DIR (e.g., .../downloads_bak, .../downloads.old). This is a Directory Traversal (escape) leading to a data leak.

Details

def is_safe_path(safe_root, check_path):
    safe_root  = os.path.realpath(os.path.normpath(safe_root))
    check_path = os.path.realpath(os.path.normpath(check_path))
    return os.path.commonprefix([check_path, safe_root]) == safe_root

commonprefix compares raw strings, not path components. For:

safe_root  = /home/mobsf/.MobSF/downloads
check_path = /home/mobsf/.MobSF/downloads_bak/test.txt

the function returns True, incorrectly treating downloads_bak as inside downloads. Download handler:

# MobSF/views/home.py
@login_required
def download(request):
    root = settings.DWD_DIR
    filename = request.path.replace('/download/', '', 1)
    dwd_file = Path(root) / filename  # absolute 'filename' ignores 'root'
    if '../' in filename or not is_safe_path(root, dwd_file):
        return HttpResponseForbidden(...)
    ext = dwd_file.suffix
    if ext in settings.ALLOWED_EXTENSIONS and dwd_file.is_file():
        return file_download(dwd_file, ...)

If the client supplies an absolute path in filename (starts with / or C:/), Path(root) / filename resolves to that absolute path; the flawed is_safe_path then accepts any sibling directory whose absolute path shares the same string prefix. The ../ check does not catch this.

Which file types are retrievable: Whatever is allowed by settings.ALLOWED_EXTENSIONS

PoC

Prereqs: authenticated user; standard install. Assume:

settings.DWD_DIR = /home/mobsf/.MobSF/downloads

Prepare a sibling directory with the same string prefix and a test file:

mkdir -p /home/mobsf/.MobSF/downloads_bak
echo "test" > /home/mobsf/.MobSF/downloads_bak/test.txt

As an authenticated user, request (note the leading / in the filename and the double/triple slash after /download/ to preserve it):

GET /download///home/mobsf/.MobSF/downloads_bak/test.txt HTTP/1.1
Host: <HOST>
Cookie: sessionid=<YOUR_SESSION>

Other working sibling directory names (if present):

…/downloads.old/...
…/downloads_backup/...
…/downloads1/...
…/downloads-archive/...
…/downloads 2024/... (URL-encoded space: downloads%202024)

Impact

Any authenticated user can download files (with allowed extensions) from sibling directories whose absolute paths start with the same string prefix as DWD_DIR.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-58161

GHSA ID

GHSA-ccc3-fvfx-mw3v

EPSS Score

0.49036%

CWE

CWE-22

Published

9/2/2025

Updated

9/2/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
mobsf	pip	<= 4.4.0	4.4.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a classic path traversal issue in the file download functionality of MobSF. The root cause lies in the is_safe_path function, which incorrectly used os.path.commonprefix to validate that a requested file path is within a designated safe directory. This method of validation can be bypassed by providing an absolute path that shares a common prefix with the safe directory, allowing access to sibling directories.

The download function in mobsf/MobSF/views/home.py is the entry point that receives the user-controlled filename. It then calls is_safe_path to perform the security check. The provided patch addresses the vulnerability by significantly strengthening the path validation logic. A new function, is_path_traversal, is introduced in mobsf/MobSF/utils.py to perform more rigorous checks, including looking for absolute paths, URL-encoded traversal sequences, and other malicious patterns. The is_safe_path function is updated to use this new, more secure validation function, and the download function is updated to call the patched is_safe_path with the necessary parameters.

Therefore, both mobsf.MobSF.views.home.download and mobsf.MobSF.utils.is_safe_path are identified as vulnerable. The former is the entry point that handles the malicious input, and the latter contains the flawed validation logic that enables the exploit.

Vulnerable functions

mobsf.MobSF.views.home.download

mobsf/MobSF/views/home.py

The `download` function is the entry point for the vulnerability. It constructs the file path from user input and, prior to the patch, used a weak validation check (`is_safe_path`) that was susceptible to path traversal. The patch modifies the call to `is_safe_path`, passing the raw filename for more robust validation.

mobsf.MobSF.utils.is_safe_path

mobsf/MobSF/utils.py

The original `is_safe_path` function contained the core logic flaw. It relied on `os.path.commonprefix` to validate file paths, which was insufficient and allowed an attacker to access files in sibling directories. The patch introduces a new, more comprehensive check by calling `is_path_traversal` and changes the function signature to accept the raw filename for this check.

WAF Protection Rules

WAF Rule

### Summ*ry T** **T /*ownlo**/<*il*n*m*> rout* us*s strin* p*t* v*ri*i**tion vi* os.p*t*.*ommonpr**ix, w*i** *llows *n *ut**nti**t** us*r to *ownlo** *il*s outsi** t** *W*_*IR *ownlo** *ir**tory *rom "n*i***orin*" *ir**tori*s w*os* **solut* p*t*s ***

Reasoning

T** vuln*r**ility is * *l*ssi* p*t* tr*v*rs*l issu* in t** *il* *ownlo** *un*tion*lity o* Mo*S*. T** root **us* li*s in t** `is_s***_p*t*` *un*tion, w*i** in*orr**tly us** `os.p*t*.*ommonpr**ix` to v*li**t* t**t * r*qu*st** *il* p*t* is wit*in * **si

N/A

Basic Information

Concerned about an active attack path?

CVE-2025-58161: MobSF Path Traversal in GET /download/<filename> using absolute filenames

Summary

Details

PoC

Impact

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI