MVT Path Traversal Vulnerability in iOS Backup Processing

A path traversal vulnerability has been identified in MVT (Mobile Verification Toolkit) versions through 2026.4.28, specifically in the iOS Backup processing module. The vulnerability arises from unsanitized file identifiers used in the Manifest.db SQLite database of iOS backups, which are directly applied in filesystem path construction. This flaw affects the 'decrypt-backup' and 'check-backup' commands, allowing for unauthorized file read and write operations outside the intended backup directory.

Impact

Exploitation of this vulnerability could lead to unauthorized file writes to arbitrary locations on the analyst's filesystem, potentially allowing for code execution through shell profile modifications or SSH key injections. Additionally, the vulnerability permits reading files outside the backup directory, with the parsed contents being integrated into JSON results and CSV timelines.

Reproduction

To reproduce this vulnerability, use MVT version 2026.4.28 or earlier and run the 'mvt-ios decrypt-backup' command with a crafted iOS backup that includes a manipulated fileID. The traversal sequences in the fileID will cause decrypted content to be written to an arbitrary location on the filesystem. Alternatively, the 'mvt-ios check-backup' command can be used to parse files outside the backup directory by exploiting the same unvalidated fileID traversal, targeting specific file types that match the expected schema of the MVT module.

Remediation

Users can upgrade to MVT version 2026.5.12 to address this vulnerability.