{"id":"PYSEC-2024-256","details":"Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. In versions prior to 3.9.7, the requests.get() request in the _check_url method is specified as allow_redirects=True, which allows a server-side request forgery when a request to .well-known/assetlinks.json\" returns a 302 redirect. This is a bypass of the fix for CVE-2024-29190 and is fixed in 3.9.7.","aliases":["CVE-2024-54000","GHSA-m435-9v6r-v5f6"],"modified":"2025-06-27T18:14:49.203947Z","published":"2024-12-03T16:15:24Z","references":[{"type":"ADVISORY","url":"https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-m435-9v6r-v5f6"},{"type":"FIX","url":"https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/f22c584aa7d43527970c9da61eb678953cfc0a8e"}],"affected":[{"package":{"name":"mobsf","ecosystem":"PyPI","purl":"pkg:pypi/mobsf"},"ranges":[{"type":"GIT","repo":"https://github.com/mobsf/mobile-security-framework-mobsf","events":[{"introduced":"0"},{"fixed":"f22c584aa7d43527970c9da61eb678953cfc0a8e"}]},{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.9.7"}]}],"versions":["3.2.6","3.2.7","3.2.8","3.2.9","3.3.3","3.3.5","3.4.0","3.4.3","3.4.6","3.5.0","3.6.0","3.6.9","3.7.6"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/mobsf/PYSEC-2024-256.yaml"}}],"schema_version":"1.7.3"}