Login Sign Up

CVE-2021-34363

9.1 CRITICAL
Path Traversal

📋 TL;DR

CVE-2021-34363 is a path traversal vulnerability in thefuck Python package that allows attackers to delete arbitrary files via the 'undo archive operation' feature. This affects users of thefuck versions before 3.31 who have the package installed and use its undo functionality. The vulnerability could lead to system compromise through file deletion.

💻 Affected Systems

Products:
  • thefuck (The Fuck) Python package
Versions: All versions before 3.31
Operating Systems: Linux, macOS, Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability is present in default configuration when using the undo archive operation feature.

📦 What is this software?

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

The Fuck by The Fuck Project

View all CVEs affecting The Fuck →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through deletion of critical system files, potentially leading to data loss, service disruption, or privilege escalation.

🟠

Likely Case

Local file deletion affecting user data, configuration files, or application files, potentially disrupting operations.

🟢

If Mitigated

Limited impact if proper file permissions restrict write access to sensitive directories.

🌐 Internet-Facing: LOW - Thefuck is typically a local command-line tool not exposed to internet.
🏢 Internal Only: MEDIUM - Requires local access or remote code execution via other vulnerabilities to exploit.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires local access or ability to execute commands on the system. Proof of concept available in public advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.31 and later

Vendor Advisory: https://github.com/nvbn/thefuck/releases/tag/3.31

Restart Required: No

Instructions:

1. Update thefuck using pip: pip install --upgrade thefuck>=3.31
2. Verify installation: thefuck --version
3. Ensure version is 3.31 or higher

🔧 Temporary Workarounds

Disable thefuck

all

Temporarily disable or uninstall thefuck package until patched

pip uninstall thefuck
Remove thefuck from PATH or shell configuration

Restrict file permissions

linux

Set restrictive permissions on sensitive directories to limit damage

chmod 755 /etc
chmod 755 /usr
chmod 700 ~/.ssh

🧯 If You Can't Patch

  • Remove execute permissions from thefuck binary or script
  • Implement strict file system monitoring and alerting for deletion attempts

🔍 How to Verify

Check if Vulnerable:

Check thefuck version: thefuck --version | grep -q '^3\.3[0-9]\|^[0-2]\|^3\.[0-2]' && echo 'VULNERABLE'

Check Version:

thefuck --version

Verify Fix Applied:

Verify version is 3.31 or higher: thefuck --version | grep -q '^3\.3[1-9]\|^[4-9]\|^3\.[4-9]' && echo 'PATCHED'

📡 Detection & Monitoring

Log Indicators:

  • Unexpected file deletion events in system logs
  • thefuck process accessing files outside user directories

Network Indicators:

  • Not applicable - local vulnerability

SIEM Query:

process.name:"thefuck" AND file.path:"/etc/*" OR file.path:"/usr/*" OR file.path:"/root/*"

📊 Metadata

CVE ID: CVE-2021-34363
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
CWE: CWE-22
Published: June 10, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-34363, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)