Cgwalters

**Name of the Vulnerable Software and Affected Versions** Flatpak versions prior to 0.8.7 **Description** A third-party app repository could include malicious apps with files that have inappropriate permissions, such as setuid or world-writable. These files are deployed with the specified permissions, allowing a local attacker to run the setuid executable or write to the world-writable location. In the case of the "system helper" component, files deployed as part of the app are owned by root, potentially leading to setuid root in the worst-case scenario. **Recommendations** For versions prior to 0.8.7, update to version 0.8.7 or later to resolve the issue. As a temporary workaround, consider restricting the installation of apps from third-party repositories to minimize the risk of exploitation.