CVE-2024-42472 - Dangerous Flatpak Escape – How a Sandbox Hole Could Expose Your Files

Flatpak is a popular application distribution and sandboxing system used by many Linux distributions to isolate apps, but early 2024 revealed a significant hole. CVE-2024-42472 is a security vulnerability that, when exploited, lets malicious Flatpak apps access files outside their sandboxed environment—the core thing Flatpak is meant to prevent. This article explains the exploit, what went wrong, how it works, and how you can protect yourself.

What Is Flatpak, and How Is It Supposed to Protect Me?

Flatpak apps run inside a container (“sandbox”) isolated from the real system, with strict controls over what files/applications they can see. A core part of this is restricting access to the home directory and only letting apps access areas they’re specifically allowed to see, usually via permissions.

Flatpak has a feature called persistent directories (the --persist command-line flag, or persistent in permission lists). This lets an app have a part of your home directory that stays between runs (for config, documents, etc). When you add persistent=subdir, for example:

flatpak run --persist=config com.example.SomeApp

the app sees an empty home directory, except for a writable config folder. On disk, it’s implemented by bind-mounting a folder from inside Flatpak’s own data space, like ~/.var/app/com.example.SomeApp/config.

The Vulnerability: CVE-2024-42472 Explained

The Bug: If the real, underlying data directory for a persistent mount is replaced by a symlink (symbolic link), then during app startup, the sandbox blindly bind-mounts whatever the symlink points to. That means the Flatpak app, which should only see ~/.var/app/com.example.SomeApp/config, could instead see *any* file or directory pointed to by the attacker (even outside .var/app).

Attacker releases a Flatpak app or gets a real one compromised.

- The app, running *inside* the sandbox, replaces ~/.var/app/$APPID/config with a symlink to *any* target (for example, ~/.ssh or /etc/passwd).
- On next launch, the host Flatpak binds the symlink target as the “sandboxed” home directory subfolder.
- The app can now read/write system or user files it should never be able to touch.

This could leak passwords, SSH keys, configuration data—violating confidentiality and integrity guarantees.

Let's see a simple code snippet (assuming a Flatpak app with --persist=testdir permission)

import os
import subprocess

APPID = 'com.example.VulnerableApp'
persist_dir = os.path.expanduser(f'~/.var/app/{APPID}/testdir')
symlink_target = '/etc'

# Remove current persistent directory
os.system(f'rm -rf {persist_dir}')

# Replace with a symlink to /etc
os.symlink(symlink_target, persist_dir)

print(f"Symlink created: {persist_dir} -> {symlink_target}")

# On host, next time app is started:
# $ flatpak run --persist=testdir com.example.VulnerableApp
# Inside the sandbox, testdir gives direct access to /etc

Result: When the app is launched again, its “testdir” now maps to /etc on the host. Any operation in "testdir" affects /etc files.

Flatpak trusted that the persistent data directory would always be a real folder, not a symlink. But

- Flatpak apps have *write* access to their own ~/.var/app/$APPID directory.
- Flatpak/bubblewrap did not check if these directories were secretly replaced with symlinks.

Race Condition and Partial Fixes

Initial fixes (see ceec2ffc and 98f79773) tried to protect against the symlink swap, but a race condition remained:

The Real Fix – bubblewrap Update

Fully fixing this requires updating bubblewrap (the underlying sandbox tool). Bubblewrap now has a --bind-fd option that avoids following symlinks via file descriptors. Flatpak must use this option and new bubblewrap versions.

How you patch depends on your setup

- Distro Flatpak: Patch both Flatpak and your system’s /usr/bin/bwrap.
- From Source: Patch Flatpak and its bundled flatpak-bwrap (/usr/libexec/flatpak-bwrap).

Flatpak 1.15.10 (with bubblewrap .10.)

Old Flatpak versions (1.12.x, 1.10.x) stay vulnerable.

Update to Flatpak ≥ 1.14.10 (stable) or 1.15.10 (dev).

- Make sure your system’s bubblewrap (/usr/bin/bwrap) is also updated.

For system administrators: Backport the patch if using long-term-support distros.

Workaround: Avoid Flatpak apps needing --persist (“persistent directories”) if you must use an old Flatpak.

Check your version

flatpak --version
bwrap --version

References

- Flatpak Security Notice
- Flatpak Commit ceec2ffc
- Flatpak Commit 98f79773
- bubblewrap "--bind-fd" pull request
- GitHub Issue Discussion
- Red Hat Security Notice
- Official CVE Record

The Takeaway

Flatpak is a great tool for isolating Linux apps, but CVE-2024-42472 proves all sandboxes need regular security reviews. If you use Flatpak, update now. If you’re a developer, be wary of symlinks and permission tricks. Sandboxes aren’t magic—they’re code, and code has flaws.

Stay safe, keep patched, and don’t trust every app you install—even inside a sandbox.

If you want hands-on advice or have questions about your distro, let me know in the comments!

Timeline

Published on: 08/15/2024 19:15:19 UTC
Last modified on: 08/19/2024 13:00:23 UTC