Cyber Resilience

CVE-2025-31116

MediumPublic PoC

Published: 31 March 2025

Published
31 March 2025
Modified
12 June 2025
KEV Added
Patch
CVSS Score v3.1 4.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:L
EPSS Score 0.0016 36.3th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-31116 is a medium-severity SSRF (CWE-918) vulnerability in Opensecurity Mobile Security Framework. Its CVSS base score is 4.4 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-20 (Secure Name/Address Resolution Service (Authoritative Source)) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-31116 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, affecting the Mobile Security Framework (MobSF), an open-source tool for pen-testing, malware analysis, and security assessment of mobile applications via static and dynamic analysis. The flaw exists in the mitigation for the prior CVE-2024-29190 within the valid_host() function, which uses socket.gethostbyname() and is susceptible to SSRF abuse through DNS rebinding techniques. It carries a CVSS v3.1 base score of 4.4 (AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:L) and was published on 2025-03-31. The vulnerability is fixed in MobSF version 4.3.2.

Exploitation is feasible over the network by attackers with high privileges, such as authenticated administrators, though it demands high attack complexity due to the DNS rebinding requirements and involves no user interaction. Successful attacks change scope and enable limited confidentiality impacts, such as unauthorized access to internal network resources, along with limited availability disruptions, but no integrity impacts.

The official GitHub security advisory (GHSA-fcfq-m8p6-gw56) and the patching commit (4b8bab5a9858c69fe13be4631b82d82186e0d3bd) confirm the fix in MobSF 4.3.2, recommending immediate upgrades for deployed instances to prevent SSRF exploitation.

EU & UK References

Vulnerability details

Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. The mitigation for CVE-2024-29190 in valid_host() uses socket.gethostbyname(), which is vulnerable to SSRF abuse using DNS rebinding technique. This vulnerability…

more

is fixed in 4.3.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SSRF vulnerability in the MobSF web application (public-facing with network attack vector) directly enables exploitation of a public-facing application to access internal resources via DNS rebinding.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24490Same product: Opensecurity Mobile Security Framework
CVE-2026-6514Shared CWE-918
CVE-2026-44116Shared CWE-918
CVE-2026-21887Shared CWE-918
CVE-2026-31910Shared CWE-918
CVE-2026-48153Shared CWE-918
CVE-2026-45298Shared CWE-918
CVE-2026-39362Shared CWE-918
CVE-2026-31989Shared CWE-918
CVE-2025-27652Shared CWE-918

Affected Assets

opensecurity
mobile security framework
≤ 4.3.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the CVE by requiring timely remediation of the SSRF flaw through patching to MobSF version 4.3.2.

prevent

Requires validation of host inputs in valid_host() to block malicious SSRF payloads, including those exploiting DNS rebinding.

prevent

Enforces secure authoritative DNS resolution to mitigate DNS rebinding attacks that bypass socket.gethostbyname() checks.

References