CVE-2024-42029 is a command injection vulnerability identified in xdg-desktop-portal-hyprland, a backend component for the XDG Desktop Portal tailored for the Hyprland Wayland compositor. The vulnerability exists because the software does not properly enclose app IDs and titles in single quotes when passing them as environment variables. This improper sanitization allows an attacker with local privileges to inject arbitrary OS commands, leading to command execution on the host system. The flaw is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command). Exploitation does not require user interaction but does require at least low-level privileges (PR:L). The CVSS v3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) indicates network attack vector, low attack complexity, privileges required, no user interaction, unchanged scope, and low impact on confidentiality, integrity, and availability. The vulnerability affects versions prior to 1.3.3, which has addressed the issue by properly quoting environment variables to prevent command injection. No public exploits or widespread attacks have been reported as of the publication date (July 27, 2024).

The vulnerability allows an attacker with local access and some privileges to execute arbitrary OS commands, potentially leading to unauthorized system modifications, data leakage, or service disruption. Although the impact on confidentiality, integrity, and availability is rated low to medium, the ability to execute arbitrary commands can be leveraged for privilege escalation or lateral movement within a compromised environment. Organizations using Hyprland with the vulnerable xdg-desktop-portal backend risk local compromise of user sessions or escalation to higher privileges if combined with other vulnerabilities. This can affect desktop users, developers, or systems relying on Hyprland for graphical sessions, particularly in Linux environments where this compositor is deployed. The lack of known exploits reduces immediate risk, but the vulnerability remains a significant concern for security hygiene and system integrity.

The primary mitigation is to upgrade xdg-desktop-portal-hyprland to version 1.3.3 or later, where the vulnerability is fixed by proper quoting of environment variables to prevent command injection. Until patching is possible, organizations should restrict local access to trusted users only and monitor for suspicious activity related to the portal backend. Employing application sandboxing or mandatory access controls (e.g., SELinux, AppArmor) can limit the impact of potential exploitation. Additionally, auditing environment variable handling in custom or third-party integrations with xdg-desktop-portal-hyprland can help identify and remediate similar injection risks. Regularly updating Linux desktop components and maintaining least privilege principles for user accounts will reduce exposure.