CVE-2021-21381: Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In Flatpack since version 0.9.4 and before versio...

Description

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In Flatpack since version 0.9.4 and before version 1.10.2 has a vulnerability in the "file forwarding" feature which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions. By putting the special tokens `@@` and/or `@@u` in the Exec field of a Flatpak app's .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had chosen to open a target file with their Flatpak app, which automatically makes that file available to the Flatpak app. This is fixed in version 1.10.2. A minimal solution is the first commit "`Disallow @@ and @@U usage in desktop files`". The follow-up commits "`dir: Reserve the whole @@ prefix`" and "`dir: Refuse to export .desktop files with suspicious uses of @@ tokens`" are recommended, but not strictly required. As a workaround, avoid installing Flatpak apps from untrusted sources, or check the contents of the exported `.desktop` files in `exports/share/applications/*.desktop` (typically `~/.local/share/flatpak/exports/share/applications/*.desktop` and `/var/lib/flatpak/exports/share/applications/*.desktop`) to make sure that literal filenames do not follow `@@` or `@@u`.

Metrics

CVSS 3.1

8.2/10

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

EPSS Probability

1.55%

71.8th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-74

Affected Software

Vendor	Product	Versions
Flatpak	Flatpak	>= 0.9.4, < 1.10.2
Debian	Debian Linux	10.0
Fedoraproject	Fedora	33
Fedoraproject	Fedora	34

References

https://github.com/flatpak/flatpak/commit/8279c5818425b6812523e3805bbe242fb6a5d961Patch, Third Party Advisory
https://github.com/flatpak/flatpak/commit/a7401e638bf0c03102039e216ab1081922f140aePatch, Third Party Advisory
https://github.com/flatpak/flatpak/commit/eb7946bb6248923d8c90fe9b84425fef97ae580dPatch, Third Party Advisory
https://github.com/flatpak/flatpak/pull/4156Patch, Third Party Advisory
https://github.com/flatpak/flatpak/releases/tag/1.10.2Release Notes, Third Party Advisory
https://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqppThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MXXLXC2DPJ45HSMTI5MZYHMYEGQN6AA/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WXNVFOIB6ZP4DGOVKAM25T6OIEP3YLGV/
https://security.gentoo.org/glsa/202312-12
https://www.debian.org/security/2021/dsa-4868Third Party Advisory
https://github.com/flatpak/flatpak/commit/8279c5818425b6812523e3805bbe242fb6a5d961Patch, Third Party Advisory
https://github.com/flatpak/flatpak/commit/a7401e638bf0c03102039e216ab1081922f140aePatch, Third Party Advisory
https://github.com/flatpak/flatpak/commit/eb7946bb6248923d8c90fe9b84425fef97ae580dPatch, Third Party Advisory
https://github.com/flatpak/flatpak/pull/4156Patch, Third Party Advisory
https://github.com/flatpak/flatpak/releases/tag/1.10.2Release Notes, Third Party Advisory
https://github.com/flatpak/flatpak/security/advisories/GHSA-xgh4-387p-hqppThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MXXLXC2DPJ45HSMTI5MZYHMYEGQN6AA/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WXNVFOIB6ZP4DGOVKAM25T6OIEP3YLGV/
https://security.gentoo.org/glsa/202312-12
https://www.debian.org/security/2021/dsa-4868Third Party Advisory

Timeline

Published: Mar 11, 2021
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2021-21381?

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In Flatpack since version 0.9.4 and before version 1.10.2 has a vulnerability in the "file forwarding" feature which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions. By putting the special tokens `@@` and/or `@@u` in the Exec field of a Flatpak app's .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had chosen to open a target file with their Flatpak app, which automatically makes that file available to the Flatpak app. This is fixed in version 1.10.2. A minimal solution is the first commit "`Disallow @@ and @@U usage in desktop files`". The follow-up commits "`dir: Reserve the whole @@ prefix`" and "`dir: Refuse to export .desktop files with suspicious uses of @@ tokens`" are recommended, but not strictly required. As a workaround, avoid installing Flatpak apps from untrusted sources, or check the contents of the exported `.desktop` files in `exports/share/applications/*.desktop` (typically `~/.local/share/flatpak/exports/share/applications/*.desktop` and `/var/lib/flatpak/exports/share/applications/*.desktop`) to make sure that literal filenames do not follow `@@` or `@@u`.

How severe is CVE-2021-21381?

CVE-2021-21381 has a CVSS score of 8.2/10 (HIGH severity). The EPSS model estimates a 1.55% probability of exploitation in the next 30 days.

How do I fix CVE-2021-21381?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.