Search the Dropbox Watchdog archive
Tracker
Named security defects in Dropbox's software — plus documented abuse of its platform — with severity, status, and sources. A serious record tracks the identifier-bearing flaws, not only the headline breaches.
CVE-2024-5924MediumPatched2024Files arriving via Dropbox sync could be written without the Windows 'Mark of the Web' flag, stripping SmartScreen/Protected-View warnings that protect users from running downloaded, untrusted content. Remediated in current client releases.
Affected: Dropbox desktop (Windows)
CVE-2024-25718MediumPatched2024A heap-buffer-overflow in Lepton — Dropbox's open-source JPEG-recompression library used in its storage pipeline — could be triggered by a crafted image (in aligned_dealloc(), src/lepton/bitops.cc), leading to denial of service or possible escalation. Fixed in Lepton 1.2.1.
Affected: Lepton (Dropbox open-source image compression, < 1.2.1)
Platform abuse (C2)MediumOngoing2024Not a flaw in Dropbox, but a recurring abuse: state-aligned groups (e.g. Kimsuky, ScarCruft) use the trusted Dropbox API as a command-and-control and exfiltration channel that blends into normal enterprise traffic.
Affected: Dropbox API
CVE-2022-4768HighPatched2022A critical remote injection flaw in the add_public_key function of merou (Dropbox's open-source 'Grouper' authorization-management tool): the public_key_str argument was insufficiently validated, enabling code injection. Remotely exploitable; patched upstream.
Affected: merou / Grouper (Dropbox open-source authorization tool)
2019 client zero-dayHighPatched2019A researcher disclosed a privilege-escalation flaw in the Dropbox updater service on Windows that could let a low-privileged user gain SYSTEM rights. Dropbox patched the issue after disclosure.
Affected: Dropbox desktop (Windows)
Keeping the Dropbox desktop and mobile apps updated remediates the client-side issues above. See the breach tracker for full incident reports.