CVE-2025-31116

MediumPublic PoC

Published: 31 March 2025

Published

31 March 2025

Modified

12 June 2025

KEV Added

—

Patch

—

CVSS Score 4.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:L

EPSS Score 0.0010 27.4th percentile

Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-31116 is a medium-severity SSRF (CWE-918) vulnerability in Opensecurity Mobile Security Framework. Its CVSS base score is 4.4 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-20 (Secure Name/Address Resolution Service (Authoritative Source)) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly addresses the CVE by requiring timely remediation of the SSRF flaw through patching to MobSF version 4.3.2.

SI-10 Information Input Validation good match

prevent

Requires validation of host inputs in valid_host() to block malicious SSRF payloads, including those exploiting DNS rebinding.

SC-20 Secure Name/Address Resolution Service (Authoritative Source) good match

prevent

Enforces secure authoritative DNS resolution to mitigate DNS rebinding attacks that bypass socket.gethostbyname() checks.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

SSRF vulnerability in the MobSF web application (public-facing with network attack vector) directly enables exploitation of a public-facing application to access internal resources via DNS rebinding.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. The mitigation for CVE-2024-29190 in valid_host() uses socket.gethostbyname(), which is vulnerable to SSRF abuse using DNS rebinding technique. This vulnerability…

is fixed in 4.3.2.

Deeper analysisAI

CVE-2025-31116 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, affecting the Mobile Security Framework (MobSF), an open-source tool for pen-testing, malware analysis, and security assessment of mobile applications via static and dynamic analysis. The flaw exists in the mitigation for the prior CVE-2024-29190 within the valid_host() function, which uses socket.gethostbyname() and is susceptible to SSRF abuse through DNS rebinding techniques. It carries a CVSS v3.1 base score of 4.4 (AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:L) and was published on 2025-03-31. The vulnerability is fixed in MobSF version 4.3.2.

Exploitation is feasible over the network by attackers with high privileges, such as authenticated administrators, though it demands high attack complexity due to the DNS rebinding requirements and involves no user interaction. Successful attacks change scope and enable limited confidentiality impacts, such as unauthorized access to internal network resources, along with limited availability disruptions, but no integrity impacts.

The official GitHub security advisory (GHSA-fcfq-m8p6-gw56) and the patching commit (4b8bab5a9858c69fe13be4631b82d82186e0d3bd) confirm the fix in MobSF 4.3.2, recommending immediate upgrades for deployed instances to prevent SSRF exploitation.