CVE-2021-24035

Published Jun 11, 2021

Last updated 6 months ago

CVSS critical 9.1

Overview

Description
A lack of filename validation when unzipping archives prior to WhatsApp for Android v2.21.8.13 and WhatsApp Business for Android v2.21.8.13 could have allowed path traversal attacks that overwrite WhatsApp files.
Source
cve-assign@fb.com
NVD status
Modified
Products
whatsapp, whatsapp_business

Risk scores

CVSS 3.1

Type
Primary
Base score
9.1
Impact score
5.2
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Severity
CRITICAL

CVSS 2.0

Type
Primary
Base score
6.4
Impact score
4.9
Exploitability score
10
Vector string
AV:N/AC:L/Au:N/C:N/I:P/A:P

Weaknesses

cve-assign@fb.com
CWE-23
nvd@nist.gov
CWE-22

Social media

Hype score
Not currently trending

Configurations

Related CVEs

  1. Incomplete validation of rich response messages in WhatsApp for iOS prior to v2.25.23.73, WhatsApp Business for iOS v2.25.23.82, and WhatsApp for Mac v2.25.23.83 could have allowed a user to trigger processing of media content from an arbitrary URL on another user’s device. We have not seen evidence of exploitation in the wild.CVE-2025-55179
  2. Meta Platforms WhatsApp Incorrect Authorization VulnerabilityCVE-2025-55177
  3. A spoofing issue in WhatsApp for Windows prior to version 2.2450.6 displayed attachments according to their MIME type but selected the file opening handler based on the attachment’s filename extension. A maliciously crafted mismatch could have caused the recipient to inadvertently execute arbitrary code rather than view the attachment when manually opening the attachment inside WhatsApp. We have not seen evidence of exploitation in the wild.CVE-2025-30401
  4. An integer overflow in WhatsApp could result in remote code execution in an established video call.CVE-2022-36934
  5. WhatsApp Cross-Site Scripting VulnerabilityCVE-2019-18426

References

Sources include official advisories and independent security research.