CVE-2021-40531

Published: Sep 6, 2021Modified: Jun 17, 2026

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Sketch before 75 allows library feeds to be used to bypass file quarantine. Files are automatically downloaded and opened, without the com.apple.quarantine extended attribute. This results in remote code execution, as demonstrated by CommandString in a terminal profile to Terminal.app.

Affected (1)

Products: Sketch: Sketch

1 product

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Sketch Sketch	Before 75

Running on/with	Platform Versions
Apple Macos	All versions

Related CWEs

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (4)

https://jonpalmisc.com/2021/11/22/cve-2021-40531

Source: cve@mitre.org

ExploitThird Party Advisory

https://www.sketch.com/updates/#version-75

Source: cve@mitre.org

PatchRelease NotesVendor Advisory

https://jonpalmisc.com/2021/11/22/cve-2021-40531

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://www.sketch.com/updates/#version-75

Source: af854a3a-2127-422b-91ae-364da2661108

PatchRelease NotesVendor Advisory

Timeline

No history available yet.