CVE-2023-46115

Name of the Vulnerable Software and Affected Versions Tauri versions prior to 2.0.0-alpha.16 or 1.5.6

Description This issue is related to a misconfiguration in the Tauri documentation that could lead to the leaking of the private key and updater key password into bundled Tauri applications using the Vite frontend in a specific configuration. The Tauri documentation used an insecure example configuration in the Vite guide, which could cause the TAURI PRIVATE KEY and TAURI KEY PASSWORD to be bundled into the Vite frontend code. This issue only affects a very limited amount of applications. To verify if you are affected, you can search for the private key value or the TAURI PRIVATE KEY variable inside the release build frontend assets (dist/).

Recommendations To resolve the issue, update the envPrefix configuration in vite.config.ts to use envPrefix: ['VITE '] and manually add the desired TAURI variables. Rotate your updater private key by generating a new private key with tauri signer generate, saving the new private key, and updating the updater's pubkey value on tauri.conf.json with the new public key. To update your existing application, the next application build must be signed with the older private key in order to be accepted by the existing application.