Lucasfernog

**Name of the Vulnerable Software and Affected Versions** Tauri versions prior to 2.0.0-alpha.16 or 1.5.6 **Description** This issue is related to a misconfiguration in the Tauri documentation that could lead to the leaking of the private key and updater key password into bundled Tauri applications using the Vite frontend in a specific configuration. The Tauri documentation used an insecure example configuration in the Vite guide, which could cause the `TAURI PRIVATE KEY` and `TAURI KEY PASSWORD` to be bundled into the Vite frontend code. This issue only affects a very limited amount of applications. To verify if you are affected, you can search for the private key value or the `TAURI PRIVATE KEY` variable inside the release build frontend assets (`dist/`). **Recommendations** To resolve the issue, update the `envPrefix` configuration in `vite.config.ts` to use `envPrefix: ['VITE ']` and manually add the desired `TAURI` variables. Rotate your updater private key by generating a new private key with `tauri signer generate`, saving the new private key, and updating the updater's `pubkey` value on `tauri.conf.json` with the new public key. To update your existing application, the next application build must be signed with the older private key in order to be accepted by the existing application.

**Name of the Vulnerable Software and Affected Versions** Tauri versions 1.0.0 through 1.0.9 Tauri versions 1.1.0 through 1.1.4 Tauri versions 1.2.0 through 1.2.5 **Description** The Tauri IPC is usually strictly isolated from external websites, but the isolation can be bypassed by redirecting an existing Tauri window to an external website. This can be done either by an application implementing a feature for users to visit arbitrary websites or due to a bug allowing the open redirect. This allows the external website access to the IPC layer and therefore to all configured and exposed Tauri API endpoints and application-specific implemented Tauri commands. **Recommendations** For versions 1.0.0 through 1.0.9, update to version 1.0.9 or later to patch the issue. For versions 1.1.0 through 1.1.4, update to version 1.1.4 or later to patch the issue. For versions 1.2.0 through 1.2.5, update to version 1.2.5 or later to patch the issue. As a temporary workaround, prevent arbitrary input in redirect features and/or only allow trusted websites access to the IPC.

**Name of the Vulnerable Software and Affected Versions** Tauri versions prior to the latest release Tauri versions 1.x prior to the backported patch **Description** The filesystem glob pattern wildcards `*`, `?`, and `[...]` match file path literals and leading dots by default, which unintentionally exposes sub folder content of allowed paths. Scopes without the wildcards are not affected. As `**` allows for sub directories, the behavior there is also as expected. The issue has been patched in the latest release and was backported into the currently supported 1.x branches. **Recommendations** For Tauri versions prior to the latest release, update to the latest release to resolve the issue. For Tauri versions 1.x, apply the backported patch to resolve the issue. As a temporary workaround, consider restricting the use of the `*`, `?`, and `[...]` glob patterns in `fs` scopes to minimize the risk of exploitation. Avoid using the `dialog.open` component with the `recursive` option set to `false` until the issue is resolved.