Login Sign Up

CVE-2021-21381

7.1 HIGH

📋 TL;DR

Flatpak's file forwarding feature contains a vulnerability where malicious app publishers can embed special tokens (@@ or @@u) in .desktop files to trick Flatpak into granting unauthorized file access. This allows attackers to bypass sandbox restrictions and access files outside the app's permitted scope. All Linux users running Flatpak versions 0.9.4 through 1.10.1 are affected.

💻 Affected Systems

Products:
  • Flatpak
Versions: 0.9.4 through 1.10.1
Operating Systems: Linux distributions using Flatpak
Default Config Vulnerable: ⚠️ Yes
Notes: All Flatpak installations within the affected version range are vulnerable by default when using the file forwarding feature.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Flatpak by Flatpak

View all CVEs affecting Flatpak →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious Flatpak app gains unauthorized access to sensitive user files (documents, credentials, configuration files) that should be protected by sandbox permissions, potentially leading to data theft or further system compromise.

🟠

Likely Case

Malicious app publisher distributes a compromised Flatpak app that can access user files beyond its declared permissions, violating the sandbox security model.

🟢

If Mitigated

With proper controls, only trusted Flatpak apps are installed, limiting exposure to verified publishers and reducing attack surface.

🌐 Internet-Facing: MEDIUM - Attack requires user to install a malicious Flatpak app from untrusted sources, but distribution channels could be compromised.
🏢 Internal Only: LOW - Requires installation of malicious Flatpak packages, which is less likely in controlled environments with approved software sources.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user to install a malicious Flatpak app. The vulnerability is well-documented with public proof-of-concept in commit references and requires minimal technical skill to weaponize.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.10.2

Vendor Advisory: https://github.com/flatpak/flatpak/releases/tag/1.10.2

Restart Required: No

Instructions:

1. Update Flatpak using your distribution's package manager. 2. For Ubuntu/Debian: sudo apt update && sudo apt upgrade flatpak. 3. For Fedora/RHEL: sudo dnf update flatpak. 4. For Arch: sudo pacman -Syu flatpak. 5. Verify update with: flatpak --version

🔧 Temporary Workarounds

Manual .desktop file inspection

linux

Check exported .desktop files for malicious @@ or @@u tokens followed by literal filenames

grep -r '@@[^ ]*[[:space:]]' ~/.local/share/flatpak/exports/share/applications/ /var/lib/flatpak/exports/share/applications/ 2>/dev/null

Restrict Flatpak sources

linux

Only install Flatpak apps from trusted repositories and verified publishers

🧯 If You Can't Patch

  • Disable or uninstall Flatpak if not required
  • Implement strict application allowlisting for Flatpak installations

🔍 How to Verify

Check if Vulnerable:

Check Flatpak version: flatpak --version. If version is between 0.9.4 and 1.10.1 inclusive, system is vulnerable.

Check Version:

flatpak --version

Verify Fix Applied:

Confirm Flatpak version is 1.10.2 or higher: flatpak --version | grep -q '1\.10\.2\|1\.1[1-9]\|1\.[2-9]' && echo 'Patched'

📡 Detection & Monitoring

Log Indicators:

  • Unusual file access patterns from Flatpak applications
  • .desktop file modifications in Flatpak export directories

Network Indicators:

  • Downloads of Flatpak apps from untrusted sources

SIEM Query:

Process execution where parent_process contains 'flatpak' AND file_access includes sensitive paths outside expected sandbox

📊 Metadata

CVE ID: CVE-2021-21381
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N
CWE: CWE-74
Published: March 11, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21381, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)