Improper Neutralization of Argument Delimiters in a Decompiling Package Process
Description
APKLeaks before v2.0.3 allows remote command injection via malicious package names in APK manifest.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
APKLeaks before v2.0.3 allows remote command injection via malicious package names in APK manifest.
Vulnerability
Description APKLeaks is an open-source tool for scanning APK files for URIs, endpoints, and secrets. Prior to version 2.0.3, APKLeaks suffered from an OS command injection vulnerability (CVE-2021-21386). The issue arises because the package name from the application manifest is passed unsanitized to a shell command during the decompilation process [1][4]. Specifically, in the decompile() function, the package name is incorporated into a system call without proper escaping, allowing an attacker to inject arbitrary arguments [3].
Exploitation
To exploit this vulnerability, an attacker must provide a crafted APK file containing a malicious package name. The package name can include shell metacharacters such as semicolons or backticks. When APKLeaks processes the APK, it invokes jadx with the unsanitized package name, leading to execution of the injected commands [4]. The attacker does not need prior authentication beyond being able to submit an APK for analysis.
Impact
Successful exploitation allows remote attackers to execute arbitrary OS commands with the privileges of the APKLeaks process. This can lead to unauthorized reading or modification of sensitive data, compromise of the host system, or other unintended behaviors [4].
Mitigation
The vulnerability has been patched in APKLeaks version 2.0.6-dev and later. The fix involves properly escaping the arguments passed to the shell using the pipes.quote() function [3]. Users are advised to upgrade to the latest version. There is no known workaround for affected versions [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
APKLeaksPyPI | < 2.0.4 | 2.0.4 |
Affected products
2- Range: < 2.0.6-dev
Patches
1a966e781499fEscapes decompiling arguments
1 file changed · +4 −2
apkleaks/apkleaks.py+4 −2 modified@@ -2,6 +2,7 @@ from apkleaks.colors import clr from contextlib import closing from distutils.spawn import find_executable +from pipes import quote from pyaxmlparser import APK from urllib.request import urlopen from zipfile import ZipFile @@ -84,8 +85,9 @@ def decompile(self): classes.write(zipped.read("classes.dex")) except Exception as e: sys.exit(self.writeln(str(e), clr.WARNING)) - dec = "%s %s -d %s --deobf" % (self.jadx, dex, self.tempdir) - os.system(dec) + args = [self.jadx, dex, "-d", self.tempdir, "--deobf"] + comm = "%s" % (" ".join(quote(arg) for arg in args)) + os.system(comm) return self.tempdir def unique(self, list):
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-8434-v7xw-8m9xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-21386ghsaADVISORY
- github.com/dwisiswant0/apkleaks/commit/a966e781499ff6fd4eea66876d7532301b13a382ghsax_refsource_MISCWEB
- github.com/dwisiswant0/apkleaks/security/advisories/GHSA-8434-v7xw-8m9xghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.