CVE-2024-29190

Name: CVE-2024-29190
Creator: NVD / NIST
Published: 2024-03-22T23:15:07.123+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.5/10EPSS 0.71%

Last modified Jun 17, 2026

CVE-2024-29190 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. In version 3.9.5 Beta and prior, MobSF does not perform any input validation when extracting the hostnames in `android:host`, so requests can also be sent to local hostnames. EPSS estimates a 0.71% chance of exploitation in the next 30 days.

Description

Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. In version 3.9.5 Beta and prior, MobSF does not perform any input validation when extracting the hostnames in `android:host`, so requests can also be sent to local hostnames. This can lead to server-side request forgery. An attacker can cause the server to make a connection to internal-only services within the organization's infrastructure. Commit 5a8eeee73c5f504a6c3abdf2a139a13804efdb77 has a hotfix for this issue.

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Probability

0.71%

48.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-918

Affected Software

Vendor	Product	Versions
Opensecurity	Mobile Security Framework	< 3.9.7

References

https://drive.google.com/file/d/1nbKMd2sKosbJef5Mh4DxjcHcQ8Hw0BNR/view?usp=share_linkPermissions Required
https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/5a8eeee73c5f504a6c3abdf2a139a13804efdb77Patch
https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-wfgj-wrgh-h3r3Exploit, Vendor Advisory
https://drive.google.com/file/d/1nbKMd2sKosbJef5Mh4DxjcHcQ8Hw0BNR/view?usp=share_linkPermissions Required
https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/5a8eeee73c5f504a6c3abdf2a139a13804efdb77Patch
https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-wfgj-wrgh-h3r3Exploit, Vendor Advisory

Timeline

Published: Mar 22, 2024
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2024-29190?

How severe is CVE-2024-29190?

CVE-2024-29190 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 0.71% probability of exploitation in the next 30 days.

How do I fix CVE-2024-29190?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2024-29190?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST