cvelistv5 - cve-2024-35222

CVE-2024-35222 (GCVE-0-2024-35222)

Vulnerability from cvelistv5 – Published: 2024-05-23 13:20 – Updated: 2024-08-02 03:07

Summary

Tauri is a framework for building binaries for all major desktop platforms. Remote origin iFrames in Tauri applications can access the Tauri IPC endpoints without being explicitly allowed in the `dangerousRemoteDomainIpcAccess` in v1 and in the `capabilities` in v2. Valid commands with potentially unwanted consequences ("delete project", "transfer credits", etc.) could be invoked by an attacker that controls the content of an iframe running inside a Tauri app. This vulnerability has been patched in versions 1.6.7 and 2.0.0-beta.19.

Severity ?

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L

CWE

CWE-284 - Improper Access Control

Assigner

GitHub_M

References

URL

Tags

	https://github.com/tauri-apps/tauri/security/advi…	x_refsource_CONFIRM
	https://github.com/tauri-apps/tauri/issues/8316	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	tauri-apps	tauri	Affected: <= 1.6.6 Affected: >= 2.0.0-beta.0, <= 2.0.0-beta.19

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:tauri:tauri:1.6.6:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "affected",
            "product": "tauri",
            "vendor": "tauri",
            "versions": [
              {
                "status": "affected",
                "version": "1.6.6"
              },
              {
                "lessThanOrEqual": "2.0.0-beta.19",
                "status": "affected",
                "version": "2.0.0-beta.0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-35222",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-23T16:19:02.005386Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:34:02.079Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T03:07:46.872Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/tauri-apps/tauri/security/advisories/GHSA-57fm-592m-34r7",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/tauri-apps/tauri/security/advisories/GHSA-57fm-592m-34r7"
          },
          {
            "name": "https://github.com/tauri-apps/tauri/issues/8316",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/tauri-apps/tauri/issues/8316"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "tauri",
          "vendor": "tauri-apps",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 1.6.6"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.0.0-beta.0, \u003c= 2.0.0-beta.19"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Tauri is a framework for building binaries for all major desktop platforms. Remote origin iFrames in Tauri applications can access the Tauri IPC endpoints without being explicitly allowed in the `dangerousRemoteDomainIpcAccess` in v1 and in the `capabilities` in v2. Valid commands with potentially unwanted consequences (\"delete project\", \"transfer credits\", etc.) could be invoked by an attacker that controls the content of an iframe running inside a Tauri app. This vulnerability has been patched in versions 1.6.7 and 2.0.0-beta.19."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284: Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-05-23T13:20:26.220Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/tauri-apps/tauri/security/advisories/GHSA-57fm-592m-34r7",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/tauri-apps/tauri/security/advisories/GHSA-57fm-592m-34r7"
        },
        {
          "name": "https://github.com/tauri-apps/tauri/issues/8316",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/tauri-apps/tauri/issues/8316"
        }
      ],
      "source": {
        "advisory": "GHSA-57fm-592m-34r7",
        "discovery": "UNKNOWN"
      },
      "title": "iFrames Bypass Origin Checks for Tauri API Access Control"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-35222",
    "datePublished": "2024-05-23T13:20:26.220Z",
    "dateReserved": "2024-05-14T15:39:41.784Z",
    "dateUpdated": "2024-08-02T03:07:46.872Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Tauri is a framework for building binaries for all major desktop platforms. Remote origin iFrames in Tauri applications can access the Tauri IPC endpoints without being explicitly allowed in the `dangerousRemoteDomainIpcAccess` in v1 and in the `capabilities` in v2. Valid commands with potentially unwanted consequences (\\\"delete project\\\", \\\"transfer credits\\\", etc.) could be invoked by an attacker that controls the content of an iframe running inside a Tauri app. This vulnerability has been patched in versions 1.6.7 and 2.0.0-beta.19.\"}, {\"lang\": \"es\", \"value\": \"Tauri es un framework para crear archivos binarios para las principales plataformas de escritorio. Los iFrames de origen remoto en aplicaciones Tauri pueden acceder a los endpoints de Tauri IPC sin estar permitidos expl\\u00edcitamente en `dangerousRemoteDomainIpcAccess` en v1 y en las `capacidades` en v2. Un atacante que controle el contenido de un iframe que se ejecuta dentro de una aplicaci\\u00f3n Tauri podr\\u00eda invocar comandos v\\u00e1lidos con consecuencias potencialmente no deseadas (\\\"eliminar proyecto\\\", \\\"transferir cr\\u00e9ditos\\\", etc.). Esta vulnerabilidad ha sido parcheada en las versiones 1.6.7 y 2.0.0-beta.19.\"}]",
      "id": "CVE-2024-35222",
      "lastModified": "2024-11-21T09:19:58.127",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L\", \"baseScore\": 5.9, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 1.2, \"impactScore\": 4.7}]}",
      "published": "2024-05-23T14:15:09.603",
      "references": "[{\"url\": \"https://github.com/tauri-apps/tauri/issues/8316\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/tauri-apps/tauri/security/advisories/GHSA-57fm-592m-34r7\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/tauri-apps/tauri/issues/8316\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/tauri-apps/tauri/security/advisories/GHSA-57fm-592m-34r7\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-284\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-35222\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-05-23T14:15:09.603\",\"lastModified\":\"2024-11-21T09:19:58.127\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Tauri is a framework for building binaries for all major desktop platforms. Remote origin iFrames in Tauri applications can access the Tauri IPC endpoints without being explicitly allowed in the `dangerousRemoteDomainIpcAccess` in v1 and in the `capabilities` in v2. Valid commands with potentially unwanted consequences (\\\"delete project\\\", \\\"transfer credits\\\", etc.) could be invoked by an attacker that controls the content of an iframe running inside a Tauri app. This vulnerability has been patched in versions 1.6.7 and 2.0.0-beta.19.\"},{\"lang\":\"es\",\"value\":\"Tauri es un framework para crear archivos binarios para las principales plataformas de escritorio. Los iFrames de origen remoto en aplicaciones Tauri pueden acceder a los endpoints de Tauri IPC sin estar permitidos expl\u00edcitamente en `dangerousRemoteDomainIpcAccess` en v1 y en las `capacidades` en v2. Un atacante que controle el contenido de un iframe que se ejecuta dentro de una aplicaci\u00f3n Tauri podr\u00eda invocar comandos v\u00e1lidos con consecuencias potencialmente no deseadas (\\\"eliminar proyecto\\\", \\\"transferir cr\u00e9ditos\\\", etc.). Esta vulnerabilidad ha sido parcheada en las versiones 1.6.7 y 2.0.0-beta.19.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":1.2,\"impactScore\":4.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-284\"}]}],\"references\":[{\"url\":\"https://github.com/tauri-apps/tauri/issues/8316\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/tauri-apps/tauri/security/advisories/GHSA-57fm-592m-34r7\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/tauri-apps/tauri/issues/8316\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/tauri-apps/tauri/security/advisories/GHSA-57fm-592m-34r7\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"iFrames Bypass Origin Checks for Tauri API Access Control\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-284\", \"lang\": \"en\", \"description\": \"CWE-284: Improper Access Control\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"LOW\", \"baseScore\": 5.9, \"baseSeverity\": \"MEDIUM\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"LOW\", \"privilegesRequired\": \"LOW\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"REQUIRED\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/tauri-apps/tauri/security/advisories/GHSA-57fm-592m-34r7\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/tauri-apps/tauri/security/advisories/GHSA-57fm-592m-34r7\"}, {\"name\": \"https://github.com/tauri-apps/tauri/issues/8316\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/tauri-apps/tauri/issues/8316\"}], \"affected\": [{\"vendor\": \"tauri-apps\", \"product\": \"tauri\", \"versions\": [{\"version\": \"\u003c= 1.6.6\", \"status\": \"affected\"}, {\"version\": \"\u003e= 2.0.0-beta.0, \u003c= 2.0.0-beta.19\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-05-23T13:20:26.220Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Tauri is a framework for building binaries for all major desktop platforms. Remote origin iFrames in Tauri applications can access the Tauri IPC endpoints without being explicitly allowed in the `dangerousRemoteDomainIpcAccess` in v1 and in the `capabilities` in v2. Valid commands with potentially unwanted consequences (\\\"delete project\\\", \\\"transfer credits\\\", etc.) could be invoked by an attacker that controls the content of an iframe running inside a Tauri app. This vulnerability has been patched in versions 1.6.7 and 2.0.0-beta.19.\"}], \"source\": {\"advisory\": \"GHSA-57fm-592m-34r7\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-35222\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-05-23T16:19:02.005386Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:tauri:tauri:1.6.6:*:*:*:*:*:*:*\"], \"vendor\": \"tauri\", \"product\": \"tauri\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.6.6\"}, {\"status\": \"affected\", \"version\": \"2.0.0-beta.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"2.0.0-beta.19\"}], \"defaultStatus\": \"affected\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-23T16:25:43.216Z\"}, \"title\": \"CISA ADP Vulnrichment\"}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-35222\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2024-05-14T15:39:41.784Z\", \"datePublished\": \"2024-05-23T13:20:26.220Z\", \"dateUpdated\": \"2024-06-04T17:34:02.079Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2024-35222

Vulnerability from fkie_nvd - Published: 2024-05-23 14:15 - Updated: 2024-11-21 09:19

Severity ?

5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/tauri-apps/tauri/issues/8316
	security-advisories@github.com	https://github.com/tauri-apps/tauri/security/advisories/GHSA-57fm-592m-34r7
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/tauri-apps/tauri/issues/8316
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/tauri-apps/tauri/security/advisories/GHSA-57fm-592m-34r7

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Tauri is a framework for building binaries for all major desktop platforms. Remote origin iFrames in Tauri applications can access the Tauri IPC endpoints without being explicitly allowed in the `dangerousRemoteDomainIpcAccess` in v1 and in the `capabilities` in v2. Valid commands with potentially unwanted consequences (\"delete project\", \"transfer credits\", etc.) could be invoked by an attacker that controls the content of an iframe running inside a Tauri app. This vulnerability has been patched in versions 1.6.7 and 2.0.0-beta.19."
    },
    {
      "lang": "es",
      "value": "Tauri es un framework para crear archivos binarios para las principales plataformas de escritorio. Los iFrames de origen remoto en aplicaciones Tauri pueden acceder a los endpoints de Tauri IPC sin estar permitidos expl\u00edcitamente en `dangerousRemoteDomainIpcAccess` en v1 y en las `capacidades` en v2. Un atacante que controle el contenido de un iframe que se ejecuta dentro de una aplicaci\u00f3n Tauri podr\u00eda invocar comandos v\u00e1lidos con consecuencias potencialmente no deseadas (\"eliminar proyecto\", \"transferir cr\u00e9ditos\", etc.). Esta vulnerabilidad ha sido parcheada en las versiones 1.6.7 y 2.0.0-beta.19."
    }
  ],
  "id": "CVE-2024-35222",
  "lastModified": "2024-11-21T09:19:58.127",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 5.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 4.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-05-23T14:15:09.603",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/tauri-apps/tauri/issues/8316"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/tauri-apps/tauri/security/advisories/GHSA-57fm-592m-34r7"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/tauri-apps/tauri/issues/8316"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/tauri-apps/tauri/security/advisories/GHSA-57fm-592m-34r7"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-284"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-57FM-592M-34R7

Vulnerability from github – Published: 2024-05-23 14:11 – Updated: 2024-05-23 16:06

Summary

iFrames Bypass Origin Checks for Tauri API Access Control

Details

Impact

Remote origin iFrames in Tauri applications can access the Tauri IPC endpoints without being explicitly allowed in the dangerousRemoteDomainIpcAccess in v1 and in the capabilities in v2. This bypasses the origin check and allows iFrames to access the IPC endpoints exposed to the parent window.

For this to be exploitable, an attacker must have script execution (e.g. XSS) in a script-enabled iFrame of a Tauri application.

Patches

The patches include changes to wry and the behaviour of Tauri applications using iFrames. Previously, we injected the Tauri IPC initialization script into iFrames on MacOS, which was unintended. This is now also disabled to be consistent with all other supported operating systems.

This means that the Tauri invoke functionality is no longer accessible from iFrames, except on Windows when the origin of the Tauri window and the origin of the iFrame are the same.

We have also added a new protection mechanism to the IPC layer to protect against iFrames directly using the WebView IPC functionality (e.g. via window.ipc.postMessage). This introduces an invoke key (__TAURI_INVOKE_KEY__) which is used to prevent frames that have not been initialized by the Tauri core from sending messages to the Tauri IPC. This key is not used to protect against compromised Tauri windows or WebViews and is only intended to block IPC access from sub-frames.

Unauthorized messages to the Tauri IPC from an iFrame or other non-initialized context will log a warning and the potentially malicious IPC call will be ignored.

Workarounds

These workarounds should only be considered if you are unable to upgrade to the patched Tauri version in time.

As a workaround for v1 Tauri applications, we recommend using a dedicated window for untrusted origins instead of iFrames, or disabling script execution within the iFrame.

For v2 Tauri applications targeting Linux, it is possible to use either a dedicated window or multiple WebViews in the main window to simulate iFrame behavior. On other platforms, it is only possible to use dedicated windows or disable script execution inside the iFrame, as described for v1.

References

If you have any questions or comments about this advisory:

Open an issue in tauri or Email us at security@tauri.app

The original submissions from the reporter:

Context

This is following up on the comments here: https://github.com/tauri-apps/tauri/issues/8316, and here: https://discord.com/channels/616186924390023171/1227969106091966475. I was asked to submit my findings as a vulnerability report.

Firstly, thank you to all of you from the core team that helped out and guided me through understanding this issue! Huge fan of Tauri, and I'm excited to see it succeed!

Summary

In short, any iframe you add in your Tauri frontend will get access to Tauri APIs, even in isolation mode.

Any embedded iframe that you don't own will be able to invoke the same APIs your app does. While isolation mode allows for finer grained control of what Tauri APIs can be called, it is not possible to determine if a request is coming your own app, or from a potentially malicious iframe.

This means your app could be open to malicious iframe being able to execute any command your app can, and there doesn't seem to be a mechanism to filter these out.

Details

I'm not an expert in Tauri source code, so I can't be sure I'm on the right track here, but I assume this has to do with how the webview is bootstrapped with the Tauri APIs.

I know there's various handlers that get set, such as opening target="_blank" links via a shell command, and of course setting invoke and other such APIs. Sounds like the issue is somewhere there and the APIs are being injected where they shouldn't.

Technically it seems that an attacker couldn't actually receive a response from the command it executes. Tauri IPC can't route the response back to the invoking iframe, but the action is still executed, with the response just being dropped. You see these messages in the logs:

[Warning] [TAURI] Couldn't find callback id 3399436348 in window. This happens when the app is reloaded while Rust is running an asynchronous operation.

PoC

Repository with reproduction steps: https://github.com/begleynk/tauri-sandbox-iframe-escape-poc

Building on that POC, here is a video of a Codepen iframe running inside an isolation mode Tauri app, invoking the same "Greet" command the frontend is invoking.

https://github.com/tauri-apps/tauri/assets/1065208/8efd5f9d-3116-4068-b98b-6ace7de9261c

This is done with the following code running inside Codepen:

javascript window.__TAURI_INVOKE__("greet", { name: "From CodePen" })

Impact

Valid commands with potentially unwanted consequences ("delete project", "transfer credits", etc.) could be invoked by an attacker that controls the content of an iframe running inside a Tauri app.

Severity ?

5.9 (Medium)


                  
                    CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "tauri"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "tauri"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0-beta.0"
            },
            {
              "fixed": "2.0.0-beta.20"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-35222"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-23T14:11:24Z",
    "nvd_published_at": "2024-05-23T14:15:09Z",
    "severity": "MODERATE"
  },
  "details": "## Impact\n\nRemote origin iFrames in Tauri applications can access the Tauri IPC endpoints without being explicitly allowed in the [`dangerousRemoteDomainIpcAccess`](https://v1.tauri.app/api/config/#securityconfig.dangerousremotedomainipcaccess) in v1 and in the [`capabilities`](https://v2.tauri.app/security/capabilities/#remote-api-access) in v2.\nThis bypasses the origin check and allows iFrames to access the IPC endpoints exposed to the parent window.\n\nFor this to be exploitable, an attacker must have script execution (e.g. XSS) in a script-enabled iFrame of a Tauri application.\n\n## Patches\n\nThe patches include changes to wry and the behaviour of Tauri applications using iFrames. Previously, we injected the Tauri IPC initialization script into iFrames on MacOS, which was unintended. This is now also disabled to be consistent with all other supported operating systems.\n\nThis means that the Tauri invoke functionality is no longer accessible from iFrames, except on Windows when the origin of the Tauri window and the origin of the iFrame are the same.\n\nWe have also added a new protection mechanism to the IPC layer to protect against iFrames directly using the WebView IPC functionality (e.g. via `window.ipc.postMessage`).\nThis introduces an invoke key (`__TAURI_INVOKE_KEY__`) which is used to prevent frames that have not been initialized by the Tauri core from sending messages to the Tauri IPC.\nThis key is **not** used to protect against compromised Tauri windows or WebViews and is **only** intended to block IPC access from sub-frames.\n\nUnauthorized messages to the Tauri IPC from an iFrame or other non-initialized context will log a warning and the potentially malicious IPC call will be ignored.\n\n## Workarounds\n\nThese workarounds should only be considered if you are unable to upgrade to the patched Tauri version in time.\n\nAs a workaround for v1 Tauri applications, we recommend using a dedicated window for untrusted origins instead of iFrames, or disabling script execution within the iFrame.\n\nFor v2 Tauri applications targeting Linux, it is possible to use either a dedicated window or [multiple WebViews](https://github.com/tauri-apps/tauri/tree/dev/examples/multiwebview) in the main window to simulate iFrame behavior.\nOn other platforms, it is only possible to use dedicated windows or disable script execution inside the iFrame, as described for v1.\n\n## References\n\nIf you have any questions or comments about this advisory:\n\nOpen an issue in tauri or\nEmail us at [security@tauri.app](mailto:security@tauri.app)\n\nThe original submissions from the reporter:\n\n\u003e ### Context\n\u003e \n\u003e This is following up on the comments here: https://github.com/tauri-apps/tauri/issues/8316, and here: https://discord.com/channels/616186924390023171/1227969106091966475. I was asked to submit my findings as a vulnerability report.\n\u003e \n\u003e Firstly, thank you to all of you from the core team that helped out and guided me through understanding this issue! Huge fan of Tauri, and I\u0027m excited to see it succeed!\n\u003e \n\u003e ### Summary\n\u003e \n\u003e In short, **any iframe you add in your Tauri frontend will get access to Tauri APIs, even in isolation mode**.\n\u003e \n\u003e Any embedded iframe that you don\u0027t own will be able to invoke the same APIs your app does. While isolation mode allows for finer grained control of what Tauri APIs can be called, it is not possible to determine if a request is coming your own app, or from a potentially malicious iframe.\n\u003e \n\u003e This means your app could be open to malicious iframe being able to execute any command your app can, and there doesn\u0027t seem to be a mechanism to filter these out.\n\u003e \n\u003e ### Details\n\u003e \n\u003e I\u0027m not an expert in Tauri source code, so I can\u0027t be sure I\u0027m on the right track here, but I assume this has to do with how the webview is bootstrapped with the Tauri APIs.\n\u003e \n\u003e I know there\u0027s various handlers that get set, such as opening `target=\"_blank\"` links via a shell command, and of course setting `invoke` and other such APIs. Sounds like the issue is somewhere there and the APIs are being injected where they shouldn\u0027t.\n\u003e \n\u003e Technically it seems that an attacker couldn\u0027t actually receive a response from the command it executes. Tauri IPC can\u0027t route the response back to the invoking iframe, but the action is still executed, with the response just being dropped. You see these messages in the logs:\n\u003e \n\u003e ```\n\u003e [Warning] [TAURI] Couldn\u0027t find callback id 3399436348 in window. This happens when the app is reloaded while Rust is running an asynchronous operation.\n\u003e ```\n\u003e \n\u003e ### PoC\n\u003e \n\u003e Repository with reproduction steps: https://github.com/begleynk/tauri-sandbox-iframe-escape-poc\n\u003e \n\u003e Building on that POC, here is a video of a Codepen iframe running inside an isolation mode Tauri app, invoking the same \"Greet\" command the frontend is invoking.\n\u003e \n\u003e https://github.com/tauri-apps/tauri/assets/1065208/8efd5f9d-3116-4068-b98b-6ace7de9261c\n\u003e \n\u003e This is done with the following code running inside Codepen:\n\u003e \n\u003e ```javascript\n\u003e window.__TAURI_INVOKE__(\"greet\", { name: \"From CodePen\" })\n\u003e ```\n\u003e \n\u003e ### Impact\n\u003e \n\u003e Valid commands with potentially unwanted consequences (\"delete project\", \"transfer credits\", etc.) could be invoked by an attacker that controls the content of an iframe running inside a Tauri app.\n",
  "id": "GHSA-57fm-592m-34r7",
  "modified": "2024-05-23T16:06:39Z",
  "published": "2024-05-23T14:11:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tauri-apps/tauri/security/advisories/GHSA-57fm-592m-34r7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35222"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tauri-apps/tauri/issues/8316"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tauri-apps/tauri/commit/d950ac1239817d17324c035e5c4769ee71fc197d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tauri-apps/tauri/commit/f6d81dfe0871e0ccd012e5190d41e3767e733608"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tauri-apps/tauri"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "iFrames Bypass Origin Checks for Tauri API Access Control"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-35222 (GCVE-0-2024-35222)

FKIE_CVE-2024-35222

GHSA-57FM-592M-34R7

Impact

Patches

Workarounds

References

Context

Summary

Details

PoC

Impact

Tags

Sightings

Nomenclature